Zerologon is the name that has been given to a vulnerability identified in CVE-2020-1472. Due to the flaw in the logon process, it is called zerologon, where the initialization vector (IV) is set to all zeros all the time, while a random number should still be an initialization vector (IV).
The Netlogon Remote Protocol (MS-NRPC) authentication bypass flaw is a remote procedure call (RPC) interface used by Windows to authenticate users and devices on domain-based networks. It was designed for specific purposes, such as maintaining relationships between domain controller members and the domain controller (DC), or replicating the domain controller database across multiple domain controllers across one or multiple domains.
One of the features of Netlogon is that it enables computers to authenticate and update their Active Directory credentials to the domain controller, and it is this particular feature that makes the Zerologon vulnerability dangerous.
In particular, the vulnerability allows the attacker to impersonate the domain controller on every computer and change the password, even the domain controller’s internal password. This results in the hacker gaining administrative access to the domain controller and thus taking full control of the domain controller and therefore the network.
The Common Vulnerability Scoring System (CVSS) severity of this precarious vulnerability is 10 out of 10 (CVSS v3.1). Active proof-of – concept (POC) attacks are identified, and it is very plausible that we will soon see real-world attacks.
The exploit code has been found in the wild since the vulnerability was disclosed and CISA has reported that the vulnerability poses an “unacceptable risk” and requires “immediate and emergency action.”
An emergency directive ordering civilian federal agencies to urgently patch or disable all compromised Windows servers was issued by the Cybersecurity and Infrastructure Security Agency, and warned non-governmental organisations to do so as well.
The first of two patches were released in August 2020 by Microsoft and they need to be added to all domain controllers.
How Zerologon vulnerability came to light
Tom Tervoort, a Dutch researcher who works for Secura, revealed the vulnerability in September 2020. In fact, in August, the vulnerability was patched, and it was not until the researcher published his paper in September that we began to see POCs and other activities. After Tervoort’s paper details his discovery and the process that led to it. He noticed a significant lack of information about MS-NRPC during his research. Intrigued, Tervoort sought out more information.
While Tervoort was initially looking for a person-in-the-middle threat, in detail in CVE-2020-1424, he found another vulnerability. He identified, continuing his research, what is now known as Zerologon. The crucial part of his finding is that a unique variant of cryptography was implemented by Microsoft that is different from all other RPC protocols.
In Windows NT, accounts allocated to a computer were not identified as first-class accounts, so Microsoft was unable to use standardized Kerberos or NTLM to authenticate computer or machine accounts. The developers produced an alternative as a result. It is extremely difficult to build encryption code and protocols that are not crack-able. In fact, as is the case here, it can take an extremely long time before the vulnerabilities are detected.
Zerologon virtual patching solutions
Since the patch that was issued had partial solutions only, additional interim measures must be taken to protect your network, devices, and data. One such protective measure is to validate the existence of the vulnerability. Three are the tools, one supported by Secura and Tervoort, which are already available to detect Zerologon vulnerabilities on AD servers.
To detect compromised accounts and networks, malicious traffic, and other indicators of compromise, standard security measures should always be implemented. Intrusion detection and protection systems and network and host computer anti-malware (all endpoints) tools to track for ransomware, viruses, and other threats are critical.
A SIEM (Security Information & Event Manager) needs to gather, centralise, and analyse logs. After the logs are analysed, individuals and procedures should be in position to respond to compromise (IoC) indications. Then, to determine the nature of the compromise and work towards a solution, an incident response team with strong protocols and expertise should take control.
Through CISA, the Department of Homeland Security released emergency orders to government departments ordering them to take certain measures in response to high-risk threats to information security, but this process is not frequently practiced. Since 2016, only 13 such directives have been issued by the agency; out of which four of them were published this year.
On September 18, after Secura released its whitepaper and hackers created proof-of – concept exploits, Emergency Directive 20-04 was issued, which significantly increased the threat of Zerologon being compromised in the wild. It said, partly:
CISA has determined that the Federal Civilian Executive Branch faces an unacceptable risk to this vulnerability and needs urgent and emergency measures. The basis of this determination is as follows:
- The wildly increasing risk of any patched domain controller being exploited by the availability of the exploit code;
- The pervasive reach in the federal enterprise of the affected domain controllers;
- The high potential for a compromise of agency information systems;
- The devastating impact of a successful compromise; and
- The vulnerability has continued to exist for more than 30 days since the release of the update.