Zerologon Windows exploit lets attackers instantly become admins on enterprise networks

[nanoguy]

A hot potato: It's considered good practice among system administrators not to install software updates as soon as they are out unless they purposely fix security flaws. In the case of Windows updates, even more so because of the recent history of poor quality control that results in multiple things breaking after installation. This time, however, the severity of a newly-discovered flaw makes that risk pale in comparison to the risk of compromising your Windows domain.

Security researchers have revealed new proof-of-concept code for a Windows flaw that allows an attacker to easily infiltrate enterprise networks, gain administrative privileges, and get full access to Active Directory domain controllers on Windows servers.

The flaw, dubbed "Zerologon," is essentially a severe privilege-escalation glitch that Microsoft has addressed in the August 2020 security updates. That means that if you've delayed the installation of those patches, you may have a big problem in your hands, as there are now four additional methods demonstrated on GitHub.

When Dutch security company Secura discovered a vulnerability in Netlogon, it was catalogued as a less severe flaw than Zerologon, as it required a person-in-the-middle attack for it to become an effective tool for malicious actors. However, Zerologon allows an attacker to craft an authentication token for the Netlogon Remote Protocol that opens up the possibility to set the computer password of the Domain Controller to something of their choosing.

Researchers explained that the issue stems from the incorrect use of AES-CFB8 encryption, which requires randomly-generated initialization vectors for each authentication message. But because Windows doesn't take this requirement into consideration, an attacker can input zeros into specific fields to make taking over the domain controller in a matter of seconds, in a process detailed here.

Microsoft's August 2020 security patch applies this requirement to render all Zerologon attacks ineffective, and Secura has published a Python script that can tell administrators if their Domain Controller has been patched correctly.

Permalink to story.

https://www.techspot.com/news/86755-zerologon-windows-exploit-attackers-instantly-become-admins-enterprise.html

 

[Uncle Al]

WOW ..... that's got all kind of nasty implications ....

 

[zamroni111]

I expect there will be lazy administrators letting their servers without this patches then wannacry2 will happen.
I also expect there will be comments hating windows updates due to it creates more bugs. For god sakes, just open Settings app to defer windows 10 feature updates for a year while security updates stays on immediately installation.

 

[bviktor]

"It's considered good practice among system administrators not to install software updates as soon as they are out unless they purposely fix security flaws."

Yeah. Among incompetent system administrators. The 2000s called, they want their headline back.

 

[Lionvibez]

Jesus this is a big one.

Gotta have to make sure we are patched for this at the office.

 

[jpuroila]

"It's considered good practice among system administrators not to install software updates as soon as they are out unless they purposely fix security flaws."

Yeah. Among incompetent system administrators. The 2000s called, they want their headline back.

Lol. No sane person rushes to install anything but critical security patches. Far too often updates - especially feature updates - break more things than they fix.

 

[s3thra]

Lol. No sane person rushes to install anything but critical security patches. Far too often updates - especially feature updates - break more things than they fix.

This. We have a staging group of non-critical servers and PCs that apply fresh updates first. If things are going to break, we’ll know about it before it brings down critical infrastructure. The rest update a couple of weeks later.