Zerologon Vulnerability

Today we decided to post an article regarding the Zerologon Vulnerability, a vulnerability found on domain controllers.

Zerologon Vulnerability
Zerologon Vulnerability

Introduction

In September this year, a very intriguing article was published. This Secura article made some very eye-opening disclosures. It published about a new-found vulnerability, CVE-2020-1472 or in simple words Zerologon.

For people who are completely unaware, Zerologon is kind of a vulnerability. This vulnerability allows an easy attack on domain controllers of the Microsoft Active Directory. This attack paves way for hackers to impersonate any domain controller. Since the targets are the domain controllers, the Zerologon vulnerability is a major threat for big corporations and organizations.

The hackers, through this attack, gain control over servers and hosts associated with the data center. This gives freedom to these hackers to get access to the organization’s environment.

How did it all start?

There is a reason behind why CVE-2020-1472 or Zerologon is named as such. Zerologon stands for the flaw found in the login process where the initialization vector (IV) is set as zero at all times. But actually, the vector must be a random number always.

Although the revelation of this vulnerability was made in September 2020, it was already patched a month back in August. After the release of the report, we started noticing different POC’s and activities.

How does the attack work?

The attack uses the authentication protocol flaws to authenticate the identity of a domain-joined PC or laptop. This validation is made to the Domain controller. The wrong usage of an AES operation mode makes it easy to attack any computer and secure its control through an empty password.

The exploitation includes sending an unbelievable amount of requests to a Domain Controller for authentication. These requests are sent through NetLogon. These usually have client requests with just 0’s as the credentials. When a random good key is selected by the server, it leads to a logon.

The exploit uses the newly gained connection to reset a blank value as the new password. Once done, he can then move to control the Domain Admin.

In simple words, through sending so Netlogon messages with fields filled with just zeros, a hacker can reset the password of a domain controller. The Admin privileges give the attacker a powerful weapon to harm an organization’s environment. This weapon provides the hacker access to any asset of the organization. The hacker can then withdraw all the internal data and even steal all banking credentials. The attacker can also choose to harm the intellectual property of the organization.

The Admin privileges gained can also give way to Ransomware attacks leading to a huge organizational attack.

What has Microsoft done to stop it?

Microsoft released a patch update for the security. This update was already released in August 2020. This update has two parts. The detail below is of the first part while the second is yet to release. The expected date is 2nd February 2021. The update’s first part reports a few changes to the NetLogon Protocol. The detail of the changes is given below:

  1. A secure use of  RPC  for all machine accounts on any device with Windows
  2. A secure use of RPC for all trust accounts.
  3. A secure use of RPC for all non-Windows and Windows accounts.
  4. A new policy to allow all non-compliant devices accounts that use secure Netlogon connections. This policy is applicable even when all the DCs are activated in the enforcement mode
  5. A protection registry key to ensure all machine accounts have an enabled DC enforcement mode.

 

Organizations at risk should make sure that their IT departments have implemented the patch released in August. In the patch released in August, there were five Event IDs to deal with any vulnerable connection. In the deployment phase, on the allowance of any secure channel connection, an Event ID 5829 is produced.

If you want to watch out for the existence of Zerologon vulnerability in your connection, find Event ID 4742. Look for users with “ANONYMOUS LOGON” and see if the last set field of the password has changed.

The admin of any organization has the capability to keep a check on Event IDs 5827 and 5828. These two IDS are specifically triggered when a Netlog connection is rejected.

Event IDs 5830 and 5831 are also two major events. They are generated when patched controllers are allowed from Netlogon connections. This only occurs when the Group policy allows it.

It is strongly recommended to update your organization’s environment with these new security patches. If you work with an organization, you must ask the IT department to keep monitoring all networks since the patch is evolving with time.

What happens when you don’t patch immediately?

If you fail to patch, you are allowing the attacker to harm your most critical assets and organization secrets. The idea of Zerologon vulnerability is real. It is a real-time bug, pretty much active. The hackers actively use it as a weapon to attack organizations and enterprises.

Some so many attackers are capable enough to use the Zerologon vulnerability for their good. They can present themselves as the domain controllers and issue a golden ticket for themselves. They can then use this very ticket to issue new tokens at any other level.

What is the role of Virtual Patching?

A virtual patch is a group of rules that reduces the software vulnerability without doing anything to the vulnerable code.

There should be no compromise on traditional security. There should always be rules and measures to identify troubling networks or accounts, harmful traffic, and many other doubtful activities that indicate some kind of external force.

You should always install antimalware software and Intrusion prevention systems to your network and all devices. This must be done to keep a check on any viruses, ransomware, and other external threats.

The Security Information & Event Manager should have the collecting, centralizing, and Analyzing Logs as part of their job. After a thorough log analysis, there should be active and authorized procedures and people to detect any kind of system compromise. Once deducted, an incident response team must be put in place to analyze the extent of damage done and then curate solutions to bring all back to normal.

Conclusion

Zerologon Vulnerability is a new concept and it has put fear in the hearts of many organizations. The good thing is that Microsoft, through its updates, is taking it quite seriously. Considering the efforts being put, we might just get rid of this soon.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.