Microsoft warns Zerologon is being exploited in the wild

We reported a few days ago on the US Homeland security ordering government network admins to immediately patch their Windows Server 2008 and above (including Windows 10 Server)  after the Zerologon vulnerability started spreading in the wild.  Zerologon can compromise a Windows server in as little as 3 seconds.

Now Microsoft has joined the call, saying :

“Microsoft is actively tracking threat actor activity using exploits for the CVE-2020-1472 Netlogon EoP vulnerability, dubbed Zerologon. We have observed attacks where public exploits have been incorporated into attacker playbooks.”

Microsoft is actively tracking threat actor activity using exploits for the CVE-2020-1472 Netlogon EoP vulnerability, dubbed Zerologon. We have observed attacks where public exploits have been incorporated into attacker playbooks.

— Microsoft Threat Intelligence (@MsftSecIntel) September 24, 2020

Exploit code has been widely available for nearly a week now, making the development expected.

The vulnerability stems from a flaw in a cryptographic authentication scheme used by the Netlogon Remote Protocol, which among other things can be used to update computer passwords. This flaw allows attackers to impersonate any computer, including the domain controller itself, and execute remote procedure calls on their behalf.

By forging an authentication token for specific Netlogon functionality, hackers are able to call a function to set the computer password of the Domain Controller to a known value. After that, the attacker can use this new password to take control over the domain controller and steal credentials of a domain admin.

CISA has issued Emergency Directive 20-04, which instructs the Federal Civilian Executive Branch agencies to apply August 2020 security update (CVE-2020-1472) for Microsoft’s Windows Servers to all domain controllers.

CISA has directed government servers by patched by this Monday, the 21st September, but also strongly urged their partners in State and local government, the private sector, and the American public to apply this security update as soon as possible.

If the servers cannot immediately apply the update, they urge companies to remove relevant domain controllers from their networks and definitely the internet, something other security researchers also agree with.

Heads up all Microsoft AD administrators! If you are crazy enough to run your servers with direct internet connectivity – you are in *grave* danger. Patch #Zerologon like..last month! https://t.co/sCC2hM0PAj

— Kauto Huopio (@kautoh) September 24, 2020

via ZDNet