iTnews

'Zerologon' Windows domain admin bypass exploit released

By Juha Saarinen on Sep 15, 2020 11:49AM
'Zerologon' Windows domain admin bypass exploit released

Vulnerability patched last month far worse than thought.

Exploit code for a severe privilege escalation bug in the Netlogon Remote Protocol for Domain Controllers on Windows networks has now been published, and users are advised to apply the August security patch released by Microsoft as soon as possible.

The flaw in NRP was found by Dutch security vendor Secura's researcher Tom Tervoort.

While details of the "Zerologon" vulnerability were not released in August, Secura has now provided full details of the flaw.

Today, a proof of concept was published on Github by security researcher Dirk-jan Mollenma for the vulnerability, which has the full 10.0 out of 10 possible Common Vulnerability Scoring System (CVSS) severity rating.

The Zerologon flaw allows an attacker with a foothold on an internal Windows network to simply send a number of Netlogon messages, filling various fields with zeroes, and changing the Active Directory stored password of a Domain Controller.

Zerologon (CVE-2020-1472): 100% reliable Domain Admin privileges immediately from unauthenticated network access to DC. The most insane Windows Domain vulnerability ever. Original writeup from @SecuraBV with test-tool is here: https://t.co/6hNvMOrucI pic.twitter.com/M8RMB82ZOy

— an0n (@an0n_r0) September 14, 2020

"The attack has a huge impact: it basically allows any attacker on the local network (such as a malicious insider or someone who simply plugged in a device to an on-premise network port) to completely compromise the Windows domain," Tervoort wrote.

Ransomware criminals especially would be likely to exploit the Zerologon vulnerability.

Microsoft has now addressed the flaw which lies in the Netlogon cryptography system, and Tervoort's testing shows the Zerologon vulnerability does not work with the August patch applied.

Further tightening up of NRP will be done by Microsoft in February next year, when enforcement mode for the protocol will be turned on by default. 

This enables Secure NRP communications for devices which will require administrators to update equipment connecting to their networks, or to whitelist ones that do not support the more secure protocol.

Secura has also published a Python script on Github to test if a Domain Controller is vulnerable.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
domain controller microsoft netlogon secura security windows zerologon

Partner Content

Why simplicity is the winning formula for CX success
Promoted Content Why simplicity is the winning formula for CX success
Why efficient data sharing is vital for effective emergency management
Promoted Content Why efficient data sharing is vital for effective emergency management
Delivering customer-centric government
Promoted Content Delivering customer-centric government
"Move away from linear thinking", futurologist advises business leaders
Promoted Content "Move away from linear thinking", futurologist advises business leaders

Sponsored Whitepapers

10 questions to ask before you select a Network Performance Management tool
10 questions to ask before you select a Network Performance Management tool
Innovate faster. Why accelerating change is a CIO's biggest challenge.
Innovate faster. Why accelerating change is a CIO's biggest challenge.
Unlock faster time-to-revenue using Adobe digital document processes
Unlock faster time-to-revenue using Adobe digital document processes
How Security as Code changes development and deployment for the cloud
How Security as Code changes development and deployment for the cloud
Tackle new ITSM priorities with this seven-step Micro Focus guide
Tackle new ITSM priorities with this seven-step Micro Focus guide

Events

  • SAP e'ffect 2021
By Juha Saarinen
Sep 15 2020
11:49AM
0 Comments

Related Articles

  • Microsoft second-phase "Zerologon" patch kicks in this week
  • 'ZeroLogon' hackers scan for unpatched servers
  • Researchers patch Microsoft's 'Petitpotam' vulnerability patch
  • Wrong Windows file permissions allow admin privilege escalation
Share on Twitter Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

AWS cautions gov against rushing in more cyber security regulations

AWS cautions gov against rushing in more cyber security regulations
Telstra 'gamifies' cloud cost reduction efforts among internal teams

Telstra 'gamifies' cloud cost reduction efforts among internal teams
Coles keeps a close watch on its Azure cloud costs

Coles keeps a close watch on its Azure cloud costs
CBA to treat its software like "food in the fridge"

CBA to treat its software like "food in the fridge"

Digital Nation

HR platform consolidation unlocks the value of data at Aurecon
HR platform consolidation unlocks the value of data at Aurecon
Next generation of Digital Giants growing faster than the originals: Ray Wang
Next generation of Digital Giants growing faster than the originals: Ray Wang
Digital leaders master collaboration, reskilling and culture: Didier Bonnet
Digital leaders master collaboration, reskilling and culture: Didier Bonnet
COVER STORY: Data centre sustainability scrutiny puts emissions in the spotlight
COVER STORY: Data centre sustainability scrutiny puts emissions in the spotlight
Expect dramatic value chain disruptions every four years: McKinsey Global Institute
Expect dramatic value chain disruptions every four years: McKinsey Global Institute
All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of nextmedia's Privacy Policy and Terms & Conditions.