ZeroLogon Windows Active Directory Privileged Escalation Exploit

Priority: Critical

Executive Summary:
Researchers at Secura have recently created and published a proof-of-concept (PoC) exploit which can allow access to an organisation’s critical server, the Active Directory domain controller [1]. The researchers have named the PoC ‘Zerologon’. The vulnerability (CVE-2020-1472), carries a critical severity rating from Microsoft [2].

A successful exploit requires an attacker to already be inside the network, either through a compromised device or as an unprivileged insider. Zerologon allows attackers to instantly gain control of the Active Directory server, by using the Netlogon vulnerability to elevate their privileges to gain control. Once the Active Directory server is compromised, the attacker have many avenues to perform further malicious actions, such as removing other users’ access and infecting other machines with malware of their choice.

Zerologon works by sending a string of Zeros in a series of messages that leverages the Netlogon protocol. Windows servers rely on this protocol for a range of tasks, which includes permitting end users to log into the network. The vulnerability is the result of a flaw in the Netlogon Remote Protocol Cryptographic authentication scheme.

The protocol is used to authenticate users and machines in domain-based networks and is also used to update computer passwords remotely. By leveraging the vulnerability, an attacker can mimic a client computer and replace the password of a domain controller, which allows the attacker to gain domain administrative credentials. The attack requires a TCP connection to vulnerable domain controller to leverage this vulnerability.

Microsoft have described the vulnerability as follows:

“An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network. To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access” [2].

Microsoft released patches for affected server versions on the 11th August, however now that Secura have released a PoC exploit, it is not expected to be long until attackers begin exploiting servers which have not yet been patched. ITC recommends ensuring any affected systems are patched as soon as possible if they have not already been.

All affected Windows domain controllers running unpatched versions will be affected by this vulnerability.

For ITC’s VI customers, the vulnerability will be detected through running scans, or through ad-hoc scans if required.

Affected Products:
The vulnerability CVE-2020-1472 poses a risk to organisations that have domain controllers running windows within their environment. The vulnerable versions of affected server versions are listed as follows:

  • Windows Server 2008 R2 for x64-based Systems Service Pack 1: KB4571729
  • Windows Server 2012: KB4571736
  • Windows Server 2012: KB4571702
  • Windows Server 2012 R2: KB4571703
  • Windows Server 2012 R2: KB4571723
  • Windows Server 2016: KB4571694
  • Windows Server 2019: KB4565349
  • Windows Server, version 1903: KB4565351
  • Windows Server, version 1909: KB4565351
  • Windows Server, version 2004: KB4566782

(More details on affected versions are available on Microsoft’s release page [2])

Microsoft recommends monitoring any login attempts which are made through the vulnerable version of the protocol and identifying devices that do not support the new version. According to Microsoft, the domain controller should be configured in a mode where all devices must use the secure version of Netlogon. The updates do not enforce this restriction because many other devices use the Netlogon remote protocol, not only Windows devices.

However, starting from February 9 2021, domain controllers will be required to use ‘enforcement’ mode which will require all Windows and on-windows device to use secure Remote Procedure Call (RPC) with Netlogon secure channel [2].

Microsoft have realised patches to mitigate this vulnerability for all affected systems in early August this year. If you have not done so already, ITC recommends installing these patches. The updates can be installed without added further action, and the Windows devices and domain controllers will be protected from this vulnerability [2].