Just in Time Bulletin: Zerologon

What is Zerologon? 

CVE-2020-1472, known as Zerologon, is a critical authentication bypass vulnerability that severely impacts Windows Domain Controller servers due to the improper handling of malformed Netlogon messages.

It was discovered by Secura researcher Tom Tervoort, the highly critical bug relates to a cryptographic flaw in the Netlogon protocol used as an authentication mechanism.

How bad is this? 

Active exploitation today: Exploited in the wild

Severity: Critical

  • credentials not required
  • authentication bypass
  • results in domain controller compromise

This is an authentication bypass vulnerability that impacts the most critical systems within a Windows Active Directory domain. Successful exploitation of this vulnerability grants an adversary complete control over all domain connected systems and users.

Who is affected by this? 

  • Windows Server 2019, all editions
  • Windows Server 2016
  • Windows Server, version 1909, all editions
  • Windows Server, version 1903, all editions
  • Windows Server, version 1809 (Datacenter, Standard)
  • Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2 Service Pack 1

How are they exploited? 

An attacker on the same network as a Windows domain controller can leverage publicly available exploits to bypass authentication on the vulnerable domain controller. Domain controllers are typically only accessible on internal networks, which reduces exposure. The vulnerability is exploited by crafting a malicious Netlogon authentication message that contains zero padded strings in various specific fields. The vulnerability arises due to flaws in the AES encryption protocol implementation used to validate authentication messages as they traverse the internal network. Successful exploitation results in authentication bypass, which effectively grants an unauthenticated attacker access to the domain controller as a domain admin, or the most privileged account within a Windows domain. 

How do I protect myself? 

Microsoft has released patches to address Zerologn across a variety of Windows Server releases. Fix has been issued as a part of the Patch Tuesday on August 11th, 2020.

NopSec strongly encourages organizations to apply these patches as soon as possible. A compromise can result in a Domain Controller compromise, which ultimately compromises your Active Directory. At this point, incident handling should be done with professional assistance.

Additional Resources: