Threat Response: Critical vulnerability in Windows called ‘Zerologon’

25-09-2020

A SAFE DIGITAL JOURNEY

For the most recent update, please click here

On Tuesday the 11th of August Microsoft released a patch for a severe vulnerability in Windows [1]. September 15th a Proof-of-Concept (PoC) was made publicly available that allowed insight in how the vulnerability workes. At the time of writing there are several exploits publicly available.

The vulnerability is registered under CVE-2020-1472 and is also called ‘Zerologon’. Through this vulnerability, attackers can call ‘Netlogon’ functionalities while bypassing authentication. This makes it possible to change passwords for computer accounts within Active Directory, for instance. The most recent exploit lets attackers retrieve the password hash for a Domain Administrator account. The password hash allows attackers to take over and abuse the account. Active abuse of the public exploit code has been observed in the wild[2]. Northwave expects advanced attackers will soon be able to use their own, private exploits. We advise you to install the patch immediately.

Impact
An attacker can change the password for the computer account of a Domain Controller by abusing the password. Ultimately this allows an attacker to retrieve password hashes for the entire Active Directory domain. The impact is therefore: high.

Risk
An attacker needs to be able to communicate with the Domain Controllers in the network through TCP. Valid credentials are not required to perform the attack. The risk of this vulnereability is therefore: high.

Mitigation
Northwave advises to install the august patches immediately if this was not already done. Microsoft released a document detailing what the patches do [3]. At the time of writing no other mitigations are known.

Northwave will monitor any developments regarding this vulnerability. If new critical information about this threat arises, we will reach out to you. If you need additional information you can call us by phone or send us an email.

Phone number: +31 (0)30-303 1244 (during business hours)
E-mail: [email protected]
Do you have an incident right now? Call our CERT number: +31 (0)85-0437 909 or 0800-1744 (alleen vanuit Nederland)

Disclaimer applies, see below.

Sources

[1]: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472
[2]: https://twitter.com/MsftSecIntel/status/1308941504707063808
[3]: https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc

 

Disclaimer
Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.