IT administrators are being urged to prioritize installing a security patch for Windows Server that Microsoft issued in August to close a vulnerability in Active Directory.
Dubbed Zerologon, if exploited, an attacker could gain a foothold on an internal network to become domain admin with one click. According to security firm Secura, which discovered the bug, all that is required is for a connection to the Domain Controller to be possible from the attacker’s viewpoint.
While the patch has been available for over a month, it’s considered so serious that on Friday the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency order to all federal departments to update all Windows Servers with the domain controller role by midnight tonight Eastern time.
UPDATE: On Sept. 23 Microsoft said it is seeing this vulnerability being exploited by hackers.
CISA’s Canadian counterpart, the Canadian Centre for Cyber Security (CCCS) warned both public and private sector organizations on Sept. 16 to install the patch immediately.
Tracked as CVE-2020-1472, the exploit occurs when establishing a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol. The Netlogon Remote Protocol (also called MS-NRPC) is an interface that is used exclusively by domain-joined devices. MS-NRPC includes an authentication method and a method of establishing a Netlogon secure channel.
By forging an authentication token for specific Netlogon functionality, an attacker can call a function to set the computer password of the domain controller to a known value. After that, the attacker can use this new password to take control over the domain controller and steal the credentials of a domain admin.
The updates enforce the specified Netlogon client behaviour to use secure RPC with Netlogon secure channel between member computers and Active Directory domain controllers. To provide Active Director forest protection, all domain controllers must be updated since they will enforce secure RPC with Netlogon secure channel. This includes read-only domain controllers.
The August patch issued by Microsoft is actually the first phase of a fix. Starting with updates to be issued Feb. 9, 2021, enforcement mode will be enabled on all Windows domain controllers, regardless of the registry setting. Domain Controllers will deny vulnerable connections from all non-compliant devices unless they are added to the “Domain controller: Allow vulnerable Netlogon secure channel connections” group policy.
