Microsoft identified a critical vulnerability in Windows Net logon Remote Protocol. Things got a lot serious when reports pointed towards cyber attackers actively exploiting that security loophole. Microsoft sent out several tweets to inform businesses about the flaw. They asked businesses to install a patch issued to fix this problem immediately.

In one statement, Microsoft said, “We have observed attacks where public exploits have been incorporated into attacker playbooks. We strongly recommend customers to apply security updates for CVE-2020-1472 immediately.”

Even the Department of Homeland Security also agrees and urges IT administrators to patch all domain controllers immediately. They even released a patch validation script, allowing businesses to identify all the Microsoft domain controllers that need to be patched. According to CISA advisory, “Until every domain controller is updated, the entire infrastructure is at risk.”

Don’t know how to install patches? Check out these patching tips. In this article, you will learn everything you want to know about Microsoft’s Zerologon flaw.

What is Net logon/Zerologon Flaw?

Net logon is a core authentication component of Microsoft Active Directory. It is basically a privilege escalation vulnerability that exists in Microsoft Net logon remote protocol.

According to Luke Richards, senior consulting analyst at Vectra, “Net logon is a service provided by domain controllers to give a secure channel between a computer and the domain controller. It normally requires previously established credentials or other authentication methods for the channel to be used.”

With a CVSS base score of 10, which is the highest possible severity rating for a software flaw, Zerologon / Net logon flaw has become a major security concern.

How Does it Work?

The Net logon / Zerologon flaw permits an unauthenticated user to use Microsoft Net logon Remote Protocol for establishing a connection with a domain controller. This allows them to get full administrative access. They can even do that through a machine which is not on the domain and can also perform numerous domain-level actions.

Dustin Childs, communication manager Zero Day Initiative at Trend Micro highlighted another possibility. According to him, “This vulnerability could allow unauthenticated attackers to run arbitrary code on affected Windows domain controllers.” Since they might have additional privileges, this enables attackers to take over the entire domain controller and domain. That is why security experts are urging organizations to act quickly and install patches before it is too late.

Jason Carson, chief security scientist and advisor to CISO at Thycotic, thinks that “Privilege compromise is an extremely severe security issue. It should be a top priority to patch vulnerable systems.” He believes that if CISA has issued an alert, this means that federal departments might have already fallen victim to this security vulnerability.

Consequences

What will happen if I do not patch this vulnerability? According to Dustin Childs, “Failure to patch means you are leaving one of your most critical assets unprotected from an active threat. This is not a theoretical bug that may be exploited by sophisticated attackers. This is a bug being actively used by threat actors against enterprises.” Attackers who successfully exploit this vulnerability could get a golden ticket. They can use this golden ticket to assign new authentication tokens at every level.

How to Fix It?

Microsoft announced that they would be rolling out two patches to mitigate the risk. They have already released one and will release the second one in 2021. The current patch turns on the security features to beef up the cybersecurity. The next patch would focus on enforcing secure logins through remote procedure calls in Net logon.

Dustin Childs further adds, “The currently available patch needs to be applied to all domain controllers — including read-only controllers — and a registry key needs to be created to enforce secure RPC connections. However, until the second patch becomes available, the issue is not fully addressed.”

Even though the current patch has prevented zerologon exploits from functioning, but that does not mean that it will fix the underlying security problems associated with the service. This means that system administrators will have to apply the patch and continuously monitor the non-compliant devices instead of trying to implement a remote procedure call connection, as shown by Microsoft guidelines. Recommending availability over security is an indication that even the patched systems might still be vulnerable.

The best way to fully secure your domain from Zerologon security flaw is to identify domain controllers that are accessible via the internet. Patch these domain controllers and implement remote procedure call connections by following Microsoft guidance.

Keep a close eye on systems that can alert you when your network services are accessed through user accounts and hosts. For instance, if a user has domain admin credentials, this gives the user account and the host access to network services that they have never accessed before.

How do you protect your business from emerging threats such as zerologon flaw? Let us know in the comments section below.