vulnerabilities Zerologon vulnerability threatens domain controllers The CVE-2020-1472 vulnerability in the Netlogon protocol, aka Zerologon, lets attackers hijack domain controllers. Hugh Aver September 15, 2020 On August’s Patch Tuesday, Microsoft closed several vulnerabilities, among them CVE-2020-1472. The Netlogon protocol vulnerability was assigned a “critical” severity level (its CVSS score was the maximum, 10.0). That it might pose a threat was never in doubt, but the other day, Secura researcher Tom Tervoort (who discovered it) published a detailed report explaining why the vulnerability, known as Zerologon, is so dangerous and how it can be used to hijack a domain controller. What is Zerologon all about? Essentially, CVE-2020-1472 is a result of a flaw in the Netlogon Remote Protocol cryptographic authentication scheme. The protocol authenticates users and machines in domain-based networks and is also used to update computer passwords remotely. Through the vulnerability, an attacker can impersonate a client computer and replace the password of a domain controller (a server that controls an entire network and runs Active Directory services), which lets the attacker gain domain admin rights. Who is vulnerable? CVE-2020-1472 presents a risk to companies whose networks are based on domain controllers running under Windows. In particular, cybercriminals can hijack a domain controller based on any version of Windows Server 2019 or Windows Server 2016, as well as any edition of Windows Server version 1909, Windows Server version 1903, Windows Server version 1809 (Datacenter and Standard editions), Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2 Service Pack 1. To attack, cybercriminals would first need to penetrate the corporate network, but that is not such a major issue — insider attacks and penetration through Ethernet outlets in publicly accessible premises are hardly unprecedented. Fortunately, Zerologon has yet to be used in a real-world attack (or at least, none has been reported). However, Tervoort’s report caused a stir, most likely attracting cybercriminal attention, and although the researchers did not publish a working proof of concept, they have no doubt attackers can create one based on the patches. How to protect against Zerologon attacks Microsoft released patches to close the vulnerability for all affected systems in early August this year, so if you haven’t updated yet, it’s time to get moving. In addition, the company recommends monitoring any login attempts made through the vulnerable version of the protocol and identifying devices that do not support the new version. Ideally, according to Microsoft, the domain controller should be set to a mode in which all devices use the secure version of Netlogon. The updates do not enforce this restriction, because Netlogon Remote Protocol is used not only in Windows — many devices based on other operating systems also rely on the protocol. If you make its use mandatory, devices that don’t support the secure version will not function properly. Nevertheless, starting February 9, 2021, domain controllers will be required to use such a mode (i.e., forcing all devices to use the updated, secure Netlogon), so administrators will have to solve the problem of third-party-device compliance in advance (by updating or manually adding them as exclusions). For more information about what the August patch does and what will change in February along with detailed guidelines, see this Microsoft post.
Read next A modern take on the movie Hackers To mark the film’s 25th anniversary, we examine Hackers in terms of modern information security.
Tips How to set up security and privacy in Strava Want to keep your runs, rides, and hikes private on Strava? This guide will walk you through the essential privacy settings in this popular fitness app.
Tips Run for your data: Privacy settings in jogging apps Running apps know a lot about their users, so it’s worth setting them up to ensure your data doesn’t fall into the wrong hands. Here’s how.
Tips When you get a login code for an account you don’t have What to do if you receive a text with a two-factor authentication code from a service you’ve never registered for.
Tips School and cyberthreats Why cybersecurity in education is critical, and how to protect schools from attacks.