DHS CISA issued an emergency directive to tells government agencies to address the Zerologon vulnerability (CVE-2020-1472) by Monday.
The Department of Homeland Security’s CISA issued an emergency directive to order government agencies to address the Zerologon vulnerability (CVE-2020-1472) by Monday.
The CVE-2020-1472 flaw is an elevation of privilege that resides in the Netlogon. The Netlogon service is an Authentication Mechanism used in the Windows Client Authentication Architecture which verifies logon requests, and it registers, authenticates, and locates Domain Controllers.
Administrators of enterprise Windows Servers have to install the August 2020 Patch Tuesday to mitigate “unacceptable risk” posed by the flaw to federal networks.
“CISA has determined that this vulnerability poses an unacceptable risk to the Federal Civilian Executive Branch and requires an immediate and emergency action.” reads the emergency directive. “This determination is based on the following:
- the availability of the exploit code in the wild increasing likelihood of any upatched domain controller being exploited;
- the widespread presence of the affected domain controllers across the federal enterprise;
- the high potential for a compromise of agency information systems;
- the grave impact of a successful compromise; and
- the continued presence of the vulnerability more than 30 days since the update was released.
CISA requires that agencies immediately apply the Windows Server August 2020 security update to all domain controllers.”
An attacker could exploit the vulnerability to impersonate any computer, including the domain controller itself, and execute remote procedure calls on their behalf.
An attacker could also exploit the flaw to disable security features in the Netlogon authentication process and change a computer’s password on the domain controller’s Active Directory.
The only limitation on how to carry out a Zerologon attack is that the attacker must have access to the target network.
Secura researchers released a Python script that uses the Impacket library to test vulnerability for the Zerologon exploit, it could be used by admins to determine if their domain controller is still vulnerable.
“By simply sending a number of Netlogon messages in which various fields are filled with zeroes, an attacker can change the computer password of the domain controller that is stored in the AD. This can then be used to obtain domain admin credentials and then restore the original DC password.” concludes the research paper.
“This attack has a huge impact: it basically allows any attacker on the local network (such as a malicious insider or someone who simply plugged in a device to an on-premise network port) to completely compromise the Windows domain. The attack is completely unauthenticated”
The ZeroLogon attack could be exploited by threat actors to deliver malware and ransomware on the target network.
CISA officials state that Windows Servers that can’t be patched have to be shut down and removed from the government network.
This emergency directive requires the following actions:
- Update all Windows Servers with the domain controller role by 11:59 PM EDT, Monday, September 21, 2020,a. Apply the August 2020 Security Update to all Windows Servers with the domain controller role. If affected domain controllers cannot be updated, ensure they are removed from the network.b. By 11:59 PM EDT, Monday, September 21, 2020, ensure technical and/or management controls are in place to ensure newly provisioned or previously disconnected domain controller servers are updated before connecting to agency networks.
“In addition to agencies using their vulnerability scanning tools for this task, CISA recommends that agencies use other means to confirm that the update has been properly deployed.
These requirements apply to Windows Servers with the Active Directory domain controller role in any information system, including an information system used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information.“
- Report information to CISAa. By 11:59 PM EDT, Wednesday, September 23, 2020, submit a completion report using the provided template. Department-level Chief Information Officers (CIOs) or equivalents must submit completion reports attesting to CISA that the applicable update has been applied to all affected servers and provide assurance that newly provisioned or previously disconnected servers will be patched as required by this directive prior to network connection (per Action 1).
(SecurityAffairs – hacking, Zerologon)