It has been more than two months since Microsoft released a patch for the Zerologon vulnerability in Windows Server, and for organizations that have not yet applied the fix, time is running short.
Within a few weeks of the patch release, Microsoft warned that attackers were actively targeting the vulnerability (CVE-2020-1472) and urged customers to apply the fix as soon as possible. The vulnerability is a privilege escalation flaw in the Netlogon Remote Protocol that Windows domain controllers use for authentication, and a successful exploit could give an attacker access to domain credentials. Details of the vulnerability, as well as exploit code, have been public for several weeks, and Microsoft said Thursday that some of its customers are continuing to see attacks against the bug.
“Microsoft has received a small number of reports from customers and others about continued activity exploiting a vulnerability affecting the Netlogon protocol (CVE-2020-1472) which was previously addressed in security updates starting on August 11, 2020. If the original guidance is not applied, the vulnerability could allow an attacker to spoof a domain controller account that could be used to steal domain credentials and take over the domain,” Aanchal Gupta, vice president of engineering for the Microsoft Security Response Center, said in a post.
“Deploying the August 11, 2020 security update or later release to every domain controller is the most critical first step toward addressing this vulnerability. Once fully deployed, Microsoft Entra ID domain controller and trust accounts will be protected alongside Windows domain-joined machine accounts. We strongly encourage anyone who has not applied the update to take this step now.”
The Zerologon vulnerability is dangerous for several reasons, primarily because of the consequences of a successful attack. Also, any organization that has a domain controller exposed to the Internet--which is not the recommended configuration--is even more exposed, as an attacker could exploit the vulnerability without needing a second flaw.
To supplement Microsoft’s advisory, the Cybersecurity and Infrastructure Security Agency issued its own warning, reiterating that it has seen state actors targeting the Zerologon flaw and urging enterprises to apply the available fixes.
“The Cybersecurity and Infrastructure Security Agency (CISA) has observed nation state activity exploiting this vulnerability. This malicious activity has often, but not exclusively, been directed at federal and state, local, tribal, and territorial (SLTT) government networks,” CISA’s guidance says.
“If there is an observation of CVE-2020-1472 Netlogon activity or other indications of valid credential abuse detected, it should be assumed that malicious cyber actors have compromised all identity services.”