In the update package that Microsoft released in August, the company included a patch for a critical privilege escalation vulnerability (CVE-2020-1472) in the Netlogon authentication service, a service that, among other things, handles the modification of passwords for user accounts on Active Directory domain controllers. If exploited successfully, an authenticated attacker would be able to compromise an entire Windows network by being able to escalate privileges and access with domain administrator permissions and once here he could modify user passwords and execute the commands he wants.
This vulnerability in Windows Server, dubbed Zerologon, received, a score of 10 out of 10 on the severity scale (CVSS) and was reported by the company Secura to Microsoft, who, as we said before, repaired the bug in the August "Patch Tuesday". But after several exploits were made public as proofs of concept on Github, organizations such as the US CERT launched alerts warning about the importance of installing the patches as soon as possible due to the possibility that this vulnerability could be exploited by attackers to take control of domain controllers in corporate networks. For their part, on Friday the researchers who discovered this vulnerability published technical details of it.
The Windows Netlogon Remote Protocol (MS-NRPC) is the main authentication component of Active Directory and is used to authenticate users and computers against domain controllers. According to the researchers who discovered the flaw, Zerologon takes advantage of a weak cryptographic implementation of AES (Advanced Encryption Standard) used in the Netlogon authentication process. All n attacker needs to exploits this vulnerability is to be able to establish a TCP connection with domain controller, either because it is exposed to the internet, or because the attacker compromised some other computer network.
Furthermore, the attacker does not need user credentials, since the attack is carried out without the need for authentication. On the other hand, Secura researchers posted for download at Github a tool to check if your own systems are vulnerable or not to Zerologon.
The impact that this vulnerability can have if it is exploited by cybercriminals is very great, especially considering threats such as ransomware, since once they have a foot in they would be able to compromise a large number of the computers present on the network.
About Zerologon exploit
The secura researchers commented that they would not fully release a proof of concept that exploits this vulnerability, but warns that the creation of an exploit by cybercriminals could be carried out without much effort. Similarly, at least three researchers independently published their own proofs of concept, ArsTechnica explained. Most of these exploits are developed in python, but they were also released in .NET.
Although before the proofs of concept are made public, Microsoft classified the exploitation of this vulnerability as unlikely in August, the peculiarity is that a few weeks later we are talking about the exploits that take advantage of this flaw that already has its own name.
The vulnerability analyst if the CERT Coordination Center in the United States, Will Dormann, confirmed that one of the publicly released exploits works.
Post a Comment
Comments here, cracks!