iTnews

'Zerologon' Windows domain admin bypass exploit released

By Juha Saarinen on Sep 15, 2020 11:49AM
'Zerologon' Windows domain admin bypass exploit released

Vulnerability patched last month far worse than thought.

Exploit code for a severe privilege escalation bug in the Netlogon Remote Protocol for Domain Controllers on Windows networks has now been published, and users are advised to apply the August security patch released by Microsoft as soon as possible.

The flaw in NRP was found by Dutch security vendor Secura's researcher Tom Tervoort.

While details of the "Zerologon" vulnerability were not released in August, Secura has now provided full details of the flaw.

Today, a proof of concept was published on Github by security researcher Dirk-jan Mollenma for the vulnerability, which has the full 10.0 out of 10 possible Common Vulnerability Scoring System (CVSS) severity rating.

The Zerologon flaw allows an attacker with a foothold on an internal Windows network to simply send a number of Netlogon messages, filling various fields with zeroes, and changing the Active Directory stored password of a Domain Controller.

Zerologon (CVE-2020-1472): 100% reliable Domain Admin privileges immediately from unauthenticated network access to DC. The most insane Windows Domain vulnerability ever. Original writeup from @SecuraBV with test-tool is here: https://t.co/6hNvMOrucI pic.twitter.com/M8RMB82ZOy

— an0n (@an0n_r0) September 14, 2020

"The attack has a huge impact: it basically allows any attacker on the local network (such as a malicious insider or someone who simply plugged in a device to an on-premise network port) to completely compromise the Windows domain," Tervoort wrote.

Ransomware criminals especially would be likely to exploit the Zerologon vulnerability.

Microsoft has now addressed the flaw which lies in the Netlogon cryptography system, and Tervoort's testing shows the Zerologon vulnerability does not work with the August patch applied.

Further tightening up of NRP will be done by Microsoft in February next year, when enforcement mode for the protocol will be turned on by default. 

This enables Secure NRP communications for devices which will require administrators to update equipment connecting to their networks, or to whitelist ones that do not support the more secure protocol.

Secura has also published a Python script on Github to test if a Domain Controller is vulnerable.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
domain controllermicrosoftnetlogonsecurasecuritywindowszerologon

Partner Content

5 essential digital transformation ideas
Promoted Content 5 essential digital transformation ideas
Top 5 Benefits of Managed IT Services
Promoted Content Top 5 Benefits of Managed IT Services
Tick off the ransomware bandits
Promoted Content Tick off the ransomware bandits
DoT Victoria turns to Oracle to implement unified cloud-based platform
Promoted Content DoT Victoria turns to Oracle to implement unified cloud-based platform

Sponsored Whitepapers

Planning before the breach: You can’t protect what you can’t see
Planning before the breach: You can’t protect what you can’t see
Beyond FTP: Securing and Managing File Transfers
Beyond FTP: Securing and Managing File Transfers
NextGen Security Operations: A Roadmap for the Future
NextGen Security Operations: A Roadmap for the Future
Video: Watch Juniper talk about its Aston Martin partnership
Video: Watch Juniper talk about its Aston Martin partnership
Don’t pay the ransom: A three-step guide to ransomware protection
Don’t pay the ransom: A three-step guide to ransomware protection

Events

  • iTnews Benchmark Awards 2022 - Finalist Showcase
  • 11th Annual Fraud Prevention Summit 2022
  • IoT Impact Conference
  • Cyber Security for Government Summit
By Juha Saarinen
Sep 15 2020
11:49AM
0 Comments

Related Articles

  • Microsoft security patches breaking authentication
  • Active Directory defaults lead to no-fix PrivEsc vulnerability
  • Microsoft second-phase "Zerologon" patch kicks in this week
  • 'ZeroLogon' hackers scan for unpatched servers
Share on Twitter Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

Telstra to open its 5G network to wholesale customers

Telstra to open its 5G network to wholesale customers

Macquarie Bank creates a broker portal on Salesforce

Macquarie Bank creates a broker portal on Salesforce

Active Directory defaults lead to no-fix PrivEsc vulnerability

Active Directory defaults lead to no-fix PrivEsc vulnerability

Intel launches new AI chips

Intel launches new AI chips

Digital Nation

As NFTs gain traction, businesses start taking early bets
As NFTs gain traction, businesses start taking early bets
COVER STORY: From cost control to customer fanatics, AI is transforming the contact centre
COVER STORY: From cost control to customer fanatics, AI is transforming the contact centre
Case Study: PlayHQ leverages graph technologies for sports administration
Case Study: PlayHQ leverages graph technologies for sports administration
The other ‘CTO’: The emerging role of the chief transformation officer
The other ‘CTO’: The emerging role of the chief transformation officer
Metaverse hype will transition into new business models by mid decade: Gartner
Metaverse hype will transition into new business models by mid decade: Gartner
All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of nextmedia's Privacy Policy and Terms & Conditions.