The Microsoft Zerologon vulnerability gives the the bad guys a way to get in. Guess how? By sending a string of zeros to the server, of course. It’s a nasty vulnerability that’s being exploited in the wild. Even though Microsoft released a patch, many companies wait up to 90 days before patching. Have you patched? Are your services exposed?
What to do:
- Apply the Microsoft August security patches (if you haven’t already) for a stop-gap measure.
- Double-check if you have the RPC service exposed to the Internet. If so, close it.
- Mark your calendar for February. Microsoft will be releasing a more permanent.
How it Works
What happens is that attackers can exploit the Netlogon service on Active Directory Domain Controllers. By by sending all 00s for the client challenge and secret key computation check, authentication succeeds. The odds are 1/256 that this will work. In practice this means up to 256 attempts are needed.
Although the attackers obtain a valid session, they can’t login directly. However, the attackers are then able to perform a password reset to a blank (null) value – again all 00s. They do this by pretending that the year is 1970 (POSIX start time), which makes the time value all 00s as well. Once the password is blank, attackers steal credentials from the server. Given that the compromised server is a domain controller, any user or service account can be impersonated.
What’s particularly dangerous is that the Ticket Granting (Ticket) Service TGS can be manipulated. In other words, an attacker gains ability to create valid Kerberos tickets, meaning they can become any user, including domain admins. Or they can create a “golden ticket”, which lets them own the network.
Links
The Microsoft and NVD links are below. Ignore Microsoft’s exploitability rating of 2 – it’s misleading. This has a CVSS score of 10/10 (Critical).
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472
https://nvd.nist.gov/vuln/detail/CVE-2020-1472