Both security scientists and U.S. government establishments are exhorting admins to deal with Microsoft’s serious privilege escalation vulnerability.
Proof-of-concept (PoC) exploit code, released for a Windows vulnerability, could let hackers to penetrate enterprises by gaining administrative privileges, giving them access to companies’ Active Directory domain controllers (DCs).
Called “Zerologon”, the vulnerability is a privilege-escalation anomaly with a CVSS score of 10 out of 10, making it serious in sternness. The flaw was highlighted in Microsoft’s August 2020 security updates, but this week at least four public PoC exploits for the fault were released on Github. On Friday, investigators with Secura (who revealed the flaw) published technical details of the susceptibility.
“This attack has a huge impact: It basically allows any attacker on the local network (such as a malicious insider or someone who simply plugged in a device to an on-premise network port) to completely compromise the Windows domain,” said researchers with Secura. “The attack is completely unauthenticated: The attacker does not need any user credentials.”
The fault comes from the Netlogon Remote Protocol, available on Windows domain controllers, which is used for several tasks connected to user and machine verification.
Hackers in a real-world attack could send a number of Netlogon messages in which numerous fields are bursting with zeroes, letting them avoid these verification measures, and access and change the computer password of the domain controller that is stored in the Active Directory (AD), researchers said.
“Due to incorrect use of an AES mode of operation it is possible to spoof the identity of any computer account (including that of the [Domain Controller] itself) and set an empty password for that account in the domain,” according to Secura researchers.
“A vulnerable client or DC exposed to the internet is not exploitable by itself,” according to researchers with Tenable in an analysis of the flaw. “The attack requires that the spoofed login works like a normal domain login attempt. Active Directory (AD) would need to recognize the connecting client as being within its logical topology, which external addresses wouldn’t have.”
Nevertheless, if attackers can exploit the fault, they can mimic the distinctiveness of any machine on a network when trying to validate to the Domain Controller – allowing further attacks, including the complete seizure of a Windows domain, researchers said.
“In a hypothetical attack, one could use this vulnerability to deploy ransomware throughout an organization and maintain a persistent presence if cleanup and restoration efforts miss any additional malicious scripts,” said Tenable researchers. “Organizations with network-accessible backups could end up with a perfect storm if a ransomware group destroys backups to increase their likelihood of payout from the victim organization.”