Researchers have developed and published a proof-of-concept exploit for a recently patched Windows vulnerability that gives access to a company's crown jewels – Active Directory domain controllers, which act as a powerful gatekeeper for all computers connected to a network.
CVE-2020-1472 has a Critical Severity Level from Microsoft for tracking the vulnerability and a maximum of 10 under the Common Vulnerability Scoring System. Exploits require an attacker to gain a foothold in a target network, either as an unprivileged insider or through the compromise of a connected device.
A "crazy" bug with a "big impact"
Such compromise exploits have become increasingly valuable to attackers using ransomware or espionage spyware. It is relatively easy to get employees to click malicious links and attachments in email. Using these compromised computers to pivot to more valuable resources can be much more difficult.
It can sometimes take weeks or months for low-level permissions to be extended to those necessary to install malware or execute commands. Enter Zerologon, an exploit developed by researchers at the security company Secura. This allows attackers to take control of the Active Directory immediately. From there, they can do just about anything from adding new computers to the network to infecting each one with malware of their choice.
"This attack is having a huge impact," Secura researchers wrote in a white paper published Friday. “In principle, any attacker in the local network (e.g. a malicious insider or someone who has simply connected a device to a local network port) can completely endanger the Windows domain. The attack is totally unauthenticated: the attacker does not need any user credentials. "
The Secura researchers who discovered the vulnerability and reported it to Microsoft said they had developed an exploit that worked reliably. However, given the risk, do not release it until you are certain that the Microsoft patch is widespread on vulnerable servers. However, the researchers warned that it would not be difficult to use the Microsoft patch to work backwards and develop an exploit. Meanwhile, separate researchers from other security firms have posted their own proof-of-concept attack code here, here, and here.
The publication and description of exploit code quickly caught the attention of the US agency for cybersecurity and infrastructure security, which works to improve cybersecurity at all levels of government. Twitter on Monday also exploded with comments highlighting the threat posed by the vulnerability.
"Zerologon (CVE-2020-1472), the craziest vulnerability ever!" A Windows user wrote. "Immediate domain administrator rights through unauthenticated network access to DC."
"Remember something about Least Privileged Access and how it doesn't matter if some boxes get pwned?" Zuk Avraham, a researcher who is the founder and CEO of security company ZecOps, wrote. "Well … CVE-2020-1472 / #Zerologon will basically change your mind."
We can't just ignore attackers if they're not causing harm. We cannot simply wipe computers with malware / problems without investigating the problems first. We can't just restore an image without checking what other assets are infected / how the malware got in.
– Zuk (@ihackbanme) September 14, 2020
Key to the kingdom
Zerologon sends a series of zeros in a series of messages using the Netlogon protocol that Windows servers rely on for a variety of tasks, including allowing end users to log on to a network. People who are not authenticated could use the exploit to obtain administrative credentials for domains, provided the attacker can establish TCP connections with a vulnerable domain controller.
The vulnerability arises from the Windows implementation of AES-CFB8 or the use of the AES cryptographic protocol with encryption feedback to encrypt and validate authentication messages as they traverse the internal network.
In order for AES-CFB8 to work properly, so-called initialization vectors must be unique and generated randomly with each message. Windows did not meet this requirement. Zerologon takes advantage of this loophole by sending Netlogon messages that contain zeros in various carefully selected fields. The Secura report provides an in-depth look at the root cause of the vulnerability and the five step approach to exploiting it.
In a statement, Microsoft wrote: "A security update was released in August 2020. Customers who apply the update or have automatic updates enabled will be protected."
As suggested in some Twitter comments, some naysayers will likely downplay the severity by saying that every time attackers gain a foothold on a network, it's game over.
This argument runs counter to the principle of defense in depth, which advocates the creation of multiple layers of defense that anticipate successful violations and create redundancies to mitigate them.
Administrators are understandably cautious about installing updates that affect network components as sensitive as domain controllers. In this case, you may be at greater risk if you don't install than if you install earlier than you want. Organizations with vulnerable servers should find all the resources they need to ensure this patch is applied sooner rather than later.