Researchers have developed and published a proof-of-concept exploit for a recently patched Windows vulnerability that can allow access to an organization’s crown jewels: Active Directory domain controllers that act as a powerful gatekeeper for all machines connected to a network.
A “crazy” bug with “huge impact”
Such post-compromise exploits have become increasingly valuable to attackers who push ransomware or spy spyware. Getting employees to click on malicious links and attachments in emails is relatively easy. Using those compromised computers to navigate more valuable resources can be much more difficult.
Sometimes it can take weeks or months to increase low-level privileges to those needed to install malware or execute commands. Enter Zerologon, an exploit developed by researchers from security firm Secura. It allows attackers to gain control of Active Directory immediately. From there, they will have free rein to do whatever they want, from adding new computers to the network to infecting each one with malware of their choice.
“This attack has a huge impact,” Secura researchers wrote in a white paper published Friday. “It basically allows any attacker on the local network (such as a malicious insider or someone who has simply plugged a device into a local network port) to completely compromise the Windows domain. The attack is completely unauthenticated – the attacker does not need of user credentials. “
Secura researchers, who discovered the vulnerability and reported it to Microsoft, said they have developed an exploit that works reliably, but given the risk, they won’t release it until they are sure that Microsoft’s patch has been widely installed on vulnerable servers. The researchers, however, warned that it is not difficult to use Microsoft’s patch to work backwards and develop an exploit. Meanwhile, separate researchers from other security companies have posted their own proof-of-concept attack code here, here and here.
The release and description of the exploit code quickly attracted the attention of the US Cybersecurity and Infrastructure Security Agency, which works to improve cybersecurity at all levels of government. Monday was also Twitter explode with comments noting the threat posed by vulnerability.
“Zerologon (CVE-2020-1472), the craziest vulnerability ever!” wrote a Windows user. “Domain administrator privileges immediately from unauthenticated network access to DC.”
“Do you remember anything about less privileged access and that it doesn’t matter if a few boxes are opened?” Zuk Avraham, a founding researcher and CEO of the security firm ZecOps, he wrote. “Oh well … CVE-2020-1472 / #Zerologon is basically going to change your mind.”
We can’t ignore attackers when they don’t cause damage. We can’t just wipe out computers with malware / problems without looking into the problems first. We can’t just restore an image without checking what other resources are infected / how the malware got in.
– Zuk (@ihackbanme) September 14, 2020
Keys to the kingdom
Zerologon works by sending a string of zeros in a series of messages using the Netlogon protocol, which Windows servers rely on for a variety of tasks, including allowing end users to log on to a network. Persons without authentication can use the exploit to obtain domain administrative credentials, provided the attackers have the ability to establish TCP connections with a vulnerable domain controller.
The vulnerability results from the Windows implementation of AES-CFB8 or the use of the AES encryption protocol with encryption feedback to encrypt and validate authentication messages as they traverse the internal network.
For AES-CFB8 to work properly, so-called initialization vectors must be unique and randomly generated with each message. Windows was unable to meet this requirement. Zerologon exploits this omission by sending Netlogon messages that include zeros in various carefully chosen fields. Secura’s article offers a deep dive into the cause of the vulnerability and the five-step approach to exploiting it.
In a statement, Microsoft wrote: “A security update was released in August 2020. Customers who apply the update or have automatic updates enabled will be protected.”
As hinted at in some of Twitter’s remarks, some naysayers are likely to downplay the gravity by stating that, whenever attackers gain a point of view on a network, it’s already gone.
This argument runs counter to the defense-in-depth principle, which advocates creating multiple layers of defense that anticipate successful breaches and create redundancies to mitigate them.
Administrators are understandably wary of installing updates that affect network components that are as sensitive as domain controllers. In this case, there may be more risks in not installing than installing sooner than you might want. Organizations with vulnerable servers should gather all the resources they need to ensure this patch is installed as soon as possible.