Exploit code for a severe privilege escalation bug in the Netlogon Remote Protocol for Domain Controllers on Windows networks has now been published, and users are advised to apply the August security patch released by Microsoft as soon as possible.
The flaw in NRP was found by Dutch security vendor Secura's researcher Tom Tervoort.
While details of the "Zerologon" vulnerability were not released in August, Secura has now provided full details of the flaw.
Today, a proof of concept was published on Github by security researcher Dirk-jan Mollenma for the vulnerability, which has the full 10.0 out of 10 possible Common Vulnerability Scoring System (CVSS) severity rating.
The Zerologon flaw allows an attacker with a foothold on an internal Windows network to simply send a number of Netlogon messages, filling various fields with zeroes, and changing the Active Directory stored password of a Domain Controller.
Zerologon (CVE-2020-1472): 100% reliable Domain Admin privileges immediately from unauthenticated network access to DC. The most insane Windows Domain vulnerability ever. Original writeup from @SecuraBV with test-tool is here: https://t.co/6hNvMOrucI pic.twitter.com/M8RMB82ZOy— an0n (@an0n_r0) September 14, 2020
"The attack has a huge impact: it basically allows any attacker on the local network (such as a malicious insider or someone who simply plugged in a device to an on-premise network port) to completely compromise the Windows domain," Tervoort wrote.
Ransomware criminals especially would be likely to exploit the Zerologon vulnerability.
Microsoft has now addressed the flaw which lies in the Netlogon cryptography system, and Tervoort's testing shows the Zerologon vulnerability does not work with the August patch applied.
Further tightening up of NRP will be done by Microsoft in February next year, when enforcement mode for the protocol will be turned on by default.
This enables Secure NRP communications for devices which will require administrators to update equipment connecting to their networks, or to whitelist ones that do not support the more secure protocol.
Secura has also published a Python script on Github to test if a Domain Controller is vulnerable.