Hackers Continue to Exploit the Vulnerability as Users Struggle With Initial Fix
Microsoft has issued additional instructions on how to better implement a patch to fix an elevation of privilege vulnerability called Zerologon in Windows Server that affects the Netlogon Remote Protocol.
The update comes as Cisco Talos researchers report a spike in attempts to exploit the flaw.
The new Microsoft notice contains step-by-step instructions on how to implement the fix after the partial patch for Zerologon, which is tracked as CVE-2020-1472, proved confusing to users and may have caused issues with other business operations, says Oliver Tavakoli, CTO at the cybersecurity firm Vectra.
“Some vulnerabilities are simply not straightforward to patch because the patch may break legitimate business processes,” he says. “That is the case with this vulnerability, so step-by-step instructions are clearly necessary to successfully mitigate the vulnerability without breaking potentially business-critical apps.”
The Zerologon vulnerability was given a CVSS score of 10 – the most critical.
String of Attacks
Compounding the problem is a string of attacks launched against unpatched Windows Server installations.
Kevin Beaumont, senior threat intelligence analyst at Microsoft Threat Intelligence, wrote in a Saturday blog post that he had spotted an increase in attacks.
“At 11:16 am UTC today (26th September 2020), somebody sent hundreds of login attempts matching the exploit chain and then attempted to reset the domain computer password to blank (successfully, too). This broke the domain controller for authentication,” Beaumont wrote.
Cisco Talos did not enumerate the number of attacks it’s seeing against CVE-2020-1472. The U.S. Cybersecurity and Infrastructure Security Agency issued a warning on Thursday that it was detecting attacks on unpatched systems.
Microsoft issued a four-step plan to protect a user’s environment and prevent outages:
- Update domain controllers with a patch released Aug. 11 or later.
- Find devices that are making vulnerable connections by monitoring event logs.
- Address noncompliant devices making vulnerable connections.
- Enable enforcement mode to address CVE-2020-1472 in your environment.
Microsoft issued the first phase of the patch on Aug. 11 to partially mitigate the vulnerability. It plans to issue a second patch Feb. 9, 2021, which will handle the enforcement phase of the update.
“The [domain controllers] will now be in enforcement mode regardless of the enforcement mode registry key,” Microsoft says. “This requires all Windows and non-Windows devices to use secure [Remote Procedure Call] with Netlogon secure channel or explicitly allow the account by adding an exception for the non-compliant device.”
The Zerologon vulnerability affects Windows Server’s Netlogon Remote Protocol, or MS-NRPC – an authentication component of Active Directory that organizations deploy to manage user accounts, including authentication and access, according to Microsoft’s initial alert.
“An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network,” Microsoft says. “To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access.”
In its report, Cisco Talos further explains, “The vulnerability stems from a flaw in a cryptographic authentication scheme used by the Netlogon Remote Protocol which – among other things – can be used to update computer passwords by forging an authentication token for specific Netlogon functionality. This flaw allows attackers to impersonate any computer, including the domain controller itself, and gain access to domain admin credentials.”
Since the patch was released in August, Microsoft, CISA and other security firms have issued alerts warning that malicious actors were taking advantage of the vulnerability (see: Warning: Attackers Exploiting Windows Server Vulnerability ).