Zerologon is the name given to a security vulnerability found in Microsoft Windows domain controllers by Secura. It is an unauthenticated privilege escalation vulnerability in the Netlogon Remote Protocol (MS-NRPC). An attacker can leverage this flaw to gain administrative access to a Windows domain.
This vulnerability was assigned CVE number CVE-2020-1472 and rated critical. A Zerologon vulnerability that was patched by Microsoft in August has been making the news lately as proof of concept exploits have started to appear in the wild. In this post, I will discuss in more detail what this vulnerability is and how you can defend against it.
How Does the Zerologon Vulnerability Work?
This vulnerability is exploited by using a flaw in cryptography implementation in the Netlogon Remote Protocol on Windows domain controllers. The following excerpt from a Secura white paper provides a good summary of this vulnerability:
“By simply sending a number of Netlogon messages in which various fields are filled with zeroes, an attacker can change the computer password of the domain controller that is stored in the AD. This can then be used to obtain domain admin credentials and then restore the original DC password. This attack has a huge impact: it basically allows any attacker on the local network (such as a malicious insider or someone who simply plugged in a device to an on-premises network port) to completely compromise the Windows domain. The attack is completely unauthenticated: the attacker does not need any user credentials.”
The white paper goes into detail on what the vulnerability is and how it is exploited. In most environments, it is critical to protect the Windows domain. Once an attacker compromises the domain, they will have full access to all systems and data within a network.
Is Zerologon Actively Being Exploited?
Yes, this vulnerability has gotten a lot of attention recently because of its severity, and as a proof-of-concept exploit shared publicly. Having these exploits available allows for lower-level attackers to attempt attacks partially causing damage or unauthorized access. Additionally, the Microsoft Security Intelligence team is keeping an eye on the active exploitation of this vulnerability in the wild. This team recently tweeted the following:
“Microsoft is actively tracking threat actor activity using exploits for the CVE-2020-1472 Netlogon EoP vulnerability, dubbed Zerologon. We have observed attacks where public exploits have been incorporated into attacker playbooks.”
How Do I Secure My Organization?
The only way to fix this vulnerability is to apply the patch that Microsoft released in August. Links to the patch can be found at Microsoft’s site here. There are no official workarounds.
The patch that Microsoft released is the first step in protecting against this specific vulnerability. In February 2021, there will be a second patch to enforce secure MS-NRPC connections to domain controllers. It is critical that all systems are patched and kept up to date in your environment.
CDW Managed Services can help you keep up to date with your patching through our Gold Managed Services and our Patching-as-a-Service offering. Talk to your account manager for more details.
- Microsoft Security Update Guide: CVE-2020-1472 | Netlogon Elevation of Privilege Vulnerability
- Mitre: CVE-2020-1472
- NIST NVD: CVE-2020-1472
- Bleeping Computer: Windows Zerologon PoC exploits allow domain takeover. Patch Now!
- CISA Releases Emergency Directive on Microsoft Windows Netlogon Remote Protocol