Earlier today, security firm Secura published a technical paper on CVE-2020-1472, a CVSS-10 privilege escalation vulnerability in Microsoft’s Netlogon authentication process that the paper's authors christened “Zerologon.” The vulnerability, which was partially patched in Microsoft’s August 2020 Patch Tuesday release, arises from a flaw in the cryptographic implementation of the Netlogon protocol, specifically in its usage of AES-CFB8 encryption. The impact of successful exploitation is enormous: The flaw allows for full takeover of Active Directory domains by compromising Windows Servers running as domain controllers—in Secura’s words, enabling “an attacker with a foothold on your internal network to essentially become Domain Admin with one click. All that is required is for a connection to the Domain Controller to be possible from the attacker’s viewpoint.” This RPC connection can be made either directly or over SMB via namedpipes.
Secura’s blog includes proof-of-concept (PoC) code that performs the authentication bypass and is easily able to be weaponized for use in attacker operations, including ransomware and other malware propagation. It’s unlikely that it will take long for a fully weaponized exploit (or several) to hit the internet.
InsightVM customers can assess their exposure to CVE-2020-1472 with an authenticated check. Organizations that have not already applied Microsoft’s August 11, 2020 security updates are urged to consider patching CVE-2020-1472 on an emergency basis. Microsoft customers who have successfully applied the ..
Support the originator by clicking the read the rest link below.
