Posted on October 26, 2020 at 4:06 PM
A New Threat For Windows Servers: Zerologon Vulnerabilities
A new Common Vulnerability & Exposure (CVE) was discovered by security researchers. The CVE has been dubbed Zerologon, with a Microsoft Security Update on the 11th of August detailing it, the official name being CVE-2020-147.
A Severe Exploit
The update details how the exploit can happen should an attack establish a vulnerable Netlogon secure channel connection to the domain controller through the use of Netlogon Remote Protocol (MS-NRPC). Should the attacker successfully exploit the vulnerability, they can then proceed to run an application on the device specially developed for the hack.
Microsoft assured the public that it was working on the problem, and will issue out a fix through a two-phase rollout. According to Microsoft, the issue will be handled by adjusting how Netlogon handles Netlogon Secure Channels’ usage within it.
Netlogon is what enables a domain controller to authenticate computers, as well as update passwords within the Active Directory. This feature stands particularly vulnerable to said CVE, thanks to how it enables hackers to impersonate any computer within the network of the company.
From there, it can change the password of the network, even if the network has two-factor authentication enabled. Through the Netlogon exploit, hackers are capable of gaining administrative access, changing the domain controller’s password, as well as taking control of the entire network.
Immediate Preventative Measures
After discovering the Zerologn exploit, Microsoft had immediately rolled out a patch, standing as the first part of their phased rollout. This rollout is planned to reach its completion during 2021’s first few months.
Microsoft had opted to release these patch updates by way of phases due to how protocol changes could severely disrupt servers and networks that aren’t yet updated.
Any Windows Server that receives security updates from Microsoft had already received this patch. However, it should be noted that there are many networks leveraging non-Windows devices, or instead opt for legacy Windows devices. These devices, in turn, still use the protocol to communicate with domain controllers.
As it stands now, the Zerologon Patch that was released in August is blocking any form of attack. Protocols have already been put in place, as well, that non-compliant clients are still capable of communicating with domain controllers, which will avoid overall disruptions.
Scurrying To Plug The Leaks
It was on the 14th of December when the Department of Homeland Security sent out an emergency directive by way of its Cybersecurity and Infrastructure Security Agency. This directive mandated any federal agency leveraging the Windows Server first to perform the needed patches. This came as a direct response to the high-risk security threats to the DoHS’s information.
A deadline was set for the 21st of September, with any servers that have their domain controllers fail to be updated at that time being promptly unplugged from the network at large.
As always, it’s first urged that organizations potentially at risk of Zerologon attacks must first work alongside their respective IT departments in order to implement the patch and ensure it has been done.
The August patch incorporated five separate Event IDs regarding vulnerable Netlogon connection. Should a secure channel connection be allowed within the initial deployment phase, Event ID 5829 will be generated, in turn.
Some Personal Security Hints
In order to detect the Zerologon vulnerability within your respective network, one must search for Event ID 4742. This Event pertains to “ANONYMOUS LOGON” users, in particular.
From there, it’s urged that the Password Last Set field be checked for any changes. From there, the IT department can comb across all domain controllers for activity within the Active Directory, looking for the malicious code.
Admins are capable of monitoring for both Event IDs, 5827, and 5828. These Event IDs trigger once a Netlogon connection was denied. It should be noted, however, that Event IDs 5830 and 5831 come as a result of the Group Policy allowing patched domain controllers from Netlogon connections, as well.
As the vulnerability patch evolves as time passes, organizations have been urged to continue to monitor their networks. It should be further noted that Microsoft has yet to find any workarounds or mitigating factors for the vulnerability, making the Zerologon patch your only option.