Threat Response UPDATE: Critical vulnerability in Windows called ‘Zerologon’

30-09-2020

A SAFE DIGITAL JOURNEY

Last Friday, September 25, we informed you about the so called ‘Zerologon’ vulnerability in Windows. We urged you to install the published patches as soon as possible. Recently, more information was added [1] by Microsoft regarding the patch, including more steps necessary to be fully protected against the vulnerability. Apart from installing the patches, it is necessary to also enable the ‘enforcement mode’ to completely mitigate the risks. Enabling enforcement mode prevents all systems from using the vulnerable version of the Netlogon protocol. However, enabling this mode may lead to negative side effects if systems that rely on the vulnerable version of the Netlogon protocol are present. On February 9th 2021, enforcement mode will automatically be enabled. To prevent your business from negative side effects Microsoft has added log-events that detail the systems using the vulnerable protocol variant. It is strongly recommended to investigate the potential impact on your infrastructure. If you can confirm that no side effects should occur, you are recommended to enable the enforcement mode immediately. Microsoft has added details on how to do that in their documentation [1].

At the time of writing, we believe all known public exploits are mitigated by the patch Microsoft released. If your network contains legacy or third-party systems that rely on the insecure protocol, different abuse scenarios may be possible. Please review your Windows event logs to see whether this is the case. Review the windows event logs to determine if this applies to you. You should look for EventID 5829.

Stepwise approach
In summary, the following steps need to be performed to be fully protected against this vulnerability:

  1. Install the patches released in August as soon as possible on all systems [2].
  2. Review if the vulnerable version of the Netlogon protocol is used by legacy systems through searching the event logs (EventID 5829).
  3. If you find such systems, attempt to upgrade them to newer versions that do not use the vulnerable protocol. Contact the vendor for assistance if necessary, or put those systems on the exceptions list [3].
  4. Enable enforcement mode.

To see the previous message about this Threat Response, click here.

Northwave will monitor any developments regarding this vulnerability. If new critical information about this threat arises, we will reach out to you. If you need additional information you can call us by phone or send us an email.

Phone number: +31 (0)30-303 1244 (during business hours)
E-mail: [email protected]
Do you have an incident right now? Call our CERT number: +31 (0)85-0437 909 or 0800-1744 (alleen vanuit Nederland)

Disclaimer applies, see below.

Sources

[1]: https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc
[2]: 
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472
[3]: 
https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc#AddressingEventIDs 

Disclaimer
Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.