US Homeland security is requiring network admins to immediately patch their Windows Server 2008 and above (including Windows 10 Server) after the Zerologon vulnerability started spreading in the wild which can compromise a server in as little as 3 seconds.
The vulnerability stems from a flaw in a cryptographic authentication scheme used by the Netlogon Remote Protocol, which among other things can be used to update computer passwords. This flaw allows attackers to impersonate any computer, including the domain controller itself, and execute remote procedure calls on their behalf.
By forging an authentication token for specific Netlogon functionality, hackers are able to call a function to set the computer password of the Domain Controller to a known value. After that, the attacker can use this new password to take control over the domain controller and steal credentials of a domain admin.
CISA has issued Emergency Directive 20-04, which instructs the Federal Civilian Executive Branch agencies to apply August 2020 security update (CVE-2020-1472) for Microsoft’s Windows Servers to all domain controllers.
CISA has directed government servers by patched by this Monday, the 21st September, but also strongly urged their partners in State and local government, the private sector, and the American public to apply this security update as soon as possible.
If the servers cannot immediately apply the update, they urge companies to remove relevant domain controllers from their networks.