Zerologon vulnerability threatens domain controllers

The CVE-2020-1472 vulnerability in the Netlogon protocol, aka Zerologon, lets attackers hijack domain controllers.

On August’s Patch Tuesday, Microsoft closed several vulnerabilities, among them CVE-2020-1472. The Netlogon protocol vulnerability was assigned a “critical” severity level (its CVSS score was the maximum, 10.0). That it might pose a threat was never in doubt, but the other day, Secura researcher Tom Tervoort (who discovered it) published a detailed report explaining why the vulnerability, known as Zerologon, is so dangerous and how it can be used to hijack a domain controller.

What is Zerologon all about?

Essentially, CVE-2020-1472 is a result of a flaw in the Netlogon Remote Protocol cryptographic authentication scheme. The protocol authenticates users and machines in domain-based networks and is also used to update computer passwords remotely. Through the vulnerability, an attacker can impersonate a client computer and replace the password of a domain controller (a server that controls an entire network and runs Active Directory services), which lets the attacker gain domain admin rights.

Who is vulnerable?

CVE-2020-1472 presents a risk to companies whose networks are based on domain controllers running under Windows. In particular, cybercriminals can hijack a domain controller based on any version of Windows Server 2019 or Windows Server 2016, as well as any edition of Windows Server version 1909, Windows Server version 1903, Windows Server version 1809 (Datacenter and Standard editions), Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2 Service Pack 1. To attack, cybercriminals would first need to penetrate the corporate network, but that is not such a major issue — insider attacks and penetration through Ethernet outlets in publicly accessible premises are hardly unprecedented.

Fortunately, Zerologon has yet to be used in a real-world attack (or at least, none has been reported). However, Tervoort’s report caused a stir, most likely attracting cybercriminal attention, and although the researchers did not publish a working proof of concept, they have no doubt attackers can create one based on the patches.

How to protect against Zerologon attacks

Microsoft released patches to close the vulnerability for all affected systems in early August this year, so if you haven’t updated yet, it’s time to get moving. In addition, the company recommends monitoring any login attempts made through the vulnerable version of the protocol and identifying devices that do not support the new version. Ideally, according to Microsoft, the domain controller should be set to a mode in which all devices use the secure version of Netlogon.

The updates do not enforce this restriction, because Netlogon Remote Protocol is used not only in Windows — many devices based on other operating systems also rely on the protocol. If you make its use mandatory, devices that don’t support the secure version will not function properly.

Nevertheless, starting February 9, 2021, domain controllers will be required to use such a mode (i.e., forcing all devices to use the updated, secure Netlogon), so administrators will have to solve the problem of third-party-device compliance in advance (by updating or manually adding them as exclusions). For more information about what the August patch does and what will change in February along with detailed guidelines, see this Microsoft post.