Unbeknownst to many, last month Microsoft patched one of the most severe bugs ever reported to the company, an issue that could be abused to easily take over Windows Servers running as domain controllers in enterprise networks.
The bug was patched in the August 2020 Patch Tuesday under the identifier of CVE-2020-1472. It was described as an elevation of privilege in Netlogon, the protocol that authenticates users against domain controllers.
The vulnerability received the maximum severity rating of 10, but details were never made public, meaning users and IT administrators never knew how dangerous the issue really was.
Take over a domain controller with a bunch of zeros
But in a blog post today, the team at Secura B.V., a Dutch security firm, has finally lifted the veil from this mysterious bug and published a technical report describing CVE-2020-1472 in greater depth.
And per the report, the bug is truly worthy of its 10/10 CVSSv3 severity score.
According to Secura experts, the bug, which they named Zerologon, takes advantage of a weak cryptographic algorithm used in the Netlogon authentication process.
This bug allows an attacker to manipulate Netlogon authentication procedures and:
- impersonate the identity of any computer on a network when trying to authenticate against the domain controller
- disable security features in the Netlogon authentication process
- change a computer’s password on the domain controller’s Active Directory (a database of all computers joined to a domain, and their passwords)
The gist, and the reason why the bug has been named Zerologon, is that the attack is done by adding zero characters in certain Netlogon authentication parameters (see graph below).
Image: Secura
The entire attack is very fast and can last up to three seconds, at most. In addition, there are no limits to how an attacker can use the Zerologon attack. For example, the attacker could also pose as the domain controller itself and change its password, allowing the hacker to take over the entire corporate network.
Take over a corporate network in three seconds
There are limitations to how a Zerologon attack can be used. For starters, it cannot be used to take over Windows Servers from outside the network. An attacker first needs a foothold inside a network.
However, when this condition is met, it’s literally game over for the attacked company.
“This attack has a huge impact,” the Secura team said. “It basically allows any attacker on the local network (such as a malicious insider or someone who simply plugged in a device to an on-premise network port) to completely compromise the Windows domain.”
Furthermore, this bug is also a boon for malware and ransomware gangs, which often rely on infecting one computer inside a company’s network and then spreading to multiple others. With Zerologon, this task has been considerably simplified.
Patches available; more to come
But patching Zerologon was no easy task for Microsoft, as the company had to modify how billions of devices are connecting to corporate networks, effectively disrupting the operations of countless of companies.
This patching process is scheduled to take place over two phases. The first one took place last month, when Microsoft released a temporary fix for the Zerologon attack.
This temporary patch made the Netlogon security features (that Zerologon was disabling) mandatory for all Netlogon authentications, effectively breaking Zerologon attacks.
Nonetheless, a more complete patch is scheduled for February 2021, just in case attackers find a way around the August patches. Unfortunately, Microsoft anticipates that this later patch will end up breaking authentication on some devices. Some details about this second patch have been described here.
Attacks using Zerologon are a given, primarily due to the bug’s severity, wide impact, and benefits for attackers.
Secura has not released proof-of-concept code for a weaponized Zerologon attack, but the company expects that these will eventually surface after its report spreads online today.
In the meantime, the company has released a Python script instead, a script that can tell administrators if their domain controller has been patched correctly.
Updated at 5:00 PM ET to add that, as expected, weaponized proof-of-concept code has been made publicly available, which means the exploitation window for this vulnerability is now open.