The Zerologon vulnerability Microsoft patched in Windows Server last month is actively being exploited in several attacks.
"Microsoft is actively tracking threat actor activity using exploits for the CVE-2020-1472 Netlogon EoP vulnerability, dubbed Zerologon. We have observed attacks where public exploits have been incorporated into attacker playbooks," Microsoft's security intelligence team said. The team also published the hashes used in the attacks.
Cybersecurity and Infrastructure Security Agency issued a rare emergency directive ordering federal agencies to either patch affected servers or disconnect them because of concerns over the “grave impact” attacks would have on government networks. Multiple proofs-of-concept exploits have been released since Dutch security firm Secura published the technical details of Zerologon (CVE-2020-1472) earlier this month. Secura researchers had asserted the vulnerability does not require a high level of skill to exploit.
An attack exploiting this vulnerability would have “a huge impact,” Secura said in its analysis. “It basically allows any attacker on the local network (such as a malicious insider or someone who simply plugged in a device to an on-premise network port) to completely compromise the Windows domain.”
Zerologon is a privilege escalation vulnerability in the Netlogon Remote Protocol (MS-NRPC) used by Windows domain controllers for user- and machine-authentication. An unauthenticated attacker with network access to a domain controller would be able to exploit the flaw to completely compromise all Microsoft Entra ID identity services.
One thing about Zerologon: it doesn't matter if the server is directly connected to the Internet or behind the firewall in its own network. Leaving the flaw unpatched is risky, period. If the domain controller is accessible from the Internet, that means attacks can be mounted directly, without the attacker first trying to find a way onto the network. If the domain controller is not accessible from the Internet, then this becomes a two-stage attack, with the first step being using a different exploit or technique to break into the network. Once in, the vulnerable domain controller is easily exploitable.
Not Just Windows Server
The vulnerability is also present in Samba, the file-sharing utility for swapping materials between Linux and Windows systems, since it also relies on the Netlogon protocol. Since Zerologon is a protocol-level flaw, any application using the protocol would be vulnerable.
In the case of Samba, however, whether or not the system is affected depends on the version and how it has been configured. According to the advisory, Samba is affected when it is used as the domain controller only, and especially so when it's running as an Microsoft Entra ID domain controller. The vulnerability is considered to have low impact on the classic (NT4-style) domain controller. If the system is running Samba only as a file server, it is not directly affected. Users should still patch in the case of file-server installations, and “they may need configuration changes to continue to talk to domain controllers,” the advisory said.
Samba versions 4.7 and below are affected. Samba released version 4.8 in March 2018, and all versions since then are not vulnerable because the default behavior has been to insist on a secure netlogon channel, according to the advisory. If Samba 4.8 (and later) is not running the default configuration and has server schannel = no or server schannel = auto in smb.conf, then the vulnerability is present. Likewise, if Samba 4.7 (and earlier) is not running the default and has server schannel = yes in smb.conf, then the vulnerability is not present.
Windows at Risk
Security consultancy Acros Security has released a micropatch for Zerologon on its 0patch platform. The micropatch is particularly important for administrators with Windows Server 2008 R2 in their networks since that version of the operating system reached end-of-support in January and no longer receives official security updates.
End-of-support doesn’t mean no-longer-being-used. While Microsoft urged organizations to move their servers to the Azure cloud platform to continue getting updates, organizations may still have Microsoft Entra ID on Windows Server 2008 R2 servers. Those systems will need to be either removed from the network or updated with the micropatch.
Secura released a tool to help administrators find vulnerable systems earlier in the month. CISA has followed up its warnings and directive with a patch validation script to detect unpatched Microsoft domain controllers. Microsoft 365 customers can also look up technical details, mitigations, and detection details in the threat analytics report published in the Microsoft Defender Security Center.
"CISA urges administrators to patch all domain controllers immediately—until every domain controller is updated, the entire infrastructure remains vulnerable," the agency wrote in an alert.