Security I Trust

Zerologon CVE-2020-1472

Zerologon attack could  lets hackers take over enterprise networks.
Name: ZeroLogon
CVE-2020-1472
10/10 CVSSv3 Severity score
Attack Type: Elevation of privilege in Netlogon

The team at Secura B.V published a technical report on CVE-2020-1472 . The bug takes advantage of a weak cryptographic algorithm used in the Netlogon authentication process. It allows an attacker to manipulate Netlogon authentication procedures and impersonate the identity of any computer on a network. Take over a domain controller with a bunch of zeros.
A vulnerable system can be compromised in about 3 seconds

Risk
An attacker could pose as the domain controller and change its password allowing the hacker to take over the entire corporate network
This bug has limitless possibilities so it could be used by malware and ransomware gangs.
There are limitations to how a Zerologon attack can be used. It cannot be used to take over a Windows Server from outside the network. The attacker first needs a foothold inside the network.

Patching:
Microsoft plans to do a two-stage patching for this vulnerability.
Phase 1  patch was released in August which is a temporary fix for the Zerologon attack. This temp patch made the Netlogon security feature mandatory for all Netlogon authentications resulting in breaking Zerologon attacks. (Risk that this patch may  break authentication on some devices)
Phase 2 Patch is scheduled for February 2012. This is a more complete patch to fully fix this issue.

Leave a Reply