A Microsoft Netlogon process cryptography flaw that allows an attack on Microsoft Active Directory domain controllers, allowing a hacker to emulate any device, even the root domain controller.
The name that was assigned to a vulnerability found in CVE-2020-1472 is Zerologon. Due to the error in the logon method, it is called zerologon, where the initialization vector (IV) is set to all zeros all the time, while a random number should still be an initialization vector (IV).
For significance through the Common Vulnerability Scoring Method, this dangerous vulnerability has a 10 out of 10 (CVSS v31) (CVSS). Active proof-of-concept (POC) vulnerabilities are established, and it is very possible that we will shortly see real-world assaults.
An emergency directive ordering civilian federal agencies to immediately patch or uninstall all affected Windows servers was issued by the Cybersecurity and Infrastructure Security Agency and warned non-governmental entities to do the same. The first of two patches was issued in August 2020 by Microsoft and they need to be added to all domain controllers.
Tom Tervoort, a Dutch researcher who works for Secura, revealed the flaw in September 2020. In fact, in August, the vulnerability was patched, but it was not until the researcher released his paper in September that we began to see POCs and other events. After Tervoort's paper, his discovery and the mechanism that led to it are detailed. He found a major lack of awareness about MS-NRPC during his research. Intrigued, Tervoort sought out more information.
The crucial part of his finding is that a special variant of cryptography was adopted by Microsoft that is distinct from all other RPC protocols. In the days of Windows NT, accounts registered to a server were not identified as first-class accounts, so Microsoft was unable to use structured Kerberos or NTLM to authenticate computer or system accounts. The developers created an alternative as a result. It is extremely hard to build encryption code and protocols that are not crack-able. Actually, as is the case here, it will take an extremely long time before the vulnerabilities are discovered.
This weakness enables a hacker, even the root DC, to take over ownership of a domain controller (DC). This is accomplished by modifying or deleting the password on the controller for a service account. Then the hacker will easily cause a denial of service or take over the whole network and own it.
They must be able to set up a TCP session with a DC for attackers to exploit this vulnerability. If they are physically within the network, they could be at a user's desk or in a position such as a meeting room at an open port. These exploits count as insider attacks, today's most costly attacks for a corporation. They can be set up from outside the network as long as they can obtain a foothold somewhere to create the controller's TCP session.
Tervoort discovered that using AES-CFB8 with a set IV of 16 bytes of zeros, there is a chance that one of every 256 keys used will produce cypher text with a value of all zeros. There is an incredibly limited number of keys for the attacker to attempt to produce all zeros using cypher code. For the hacker's machine to do this, it will take only a matter of 2-3 seconds at most.
Several public PoC vulnerabilities are now available, and if the AD servers are not patched, companies will incur serious harm, as the attack may be used to insert malware into a network.
If your servers are susceptible, there are resources to search. A tool has been published on GitHub by Tervoort and Secura to check if the domain controllers are patched or find out whether they are insecure.
Microsoft issued a patch for CVE-2020-14722 in August 2020 (Zerologon). As soon as possible, all AD servers (2008 R2 and above) should be patched. But from patch availability to deployment, the estimated time is still too long. Researchers state that when a patch is issued to be finally installed, it takes from 60 to 150 days (about 5 months) in the typical company. This is known as the Mean Time to Patch (MTTP).
Moreover, sadly, the newly released patch is not the universal solution to the crisis. If older non-compliant devices remain, a community policy that specifically requires access to non-compliant devices may have to be manually applied to them.
To track compromised accounts and networks, malicious traffic, and other signs of compromise, conventional security measures should always be implemented. It is important to monitor intrusion detection mechanisms and anti-malware applications for the network and host devices (all endpoints) for ransomware, viruses and other attacks.
A SIEM needs to compile, centralise, and review logs (Security Information & Event Manager). Once logs are reviewed, individuals and protocols should be in position to respond to signs of compromise (IoC). Then, to determine the nature of the consensus and move for a settlement, an incident management team with good protocols and expertise should take over.