iTnews

'Zerologon' Windows domain admin bypass exploit released

By Juha Saarinen on Sep 15, 2020 11:49AM
'Zerologon' Windows domain admin bypass exploit released

Vulnerability patched last month far worse than thought.

Exploit code for a severe privilege escalation bug in the Netlogon Remote Protocol for Domain Controllers on Windows networks has now been published, and users are advised to apply the August security patch released by Microsoft as soon as possible.

The flaw in NRP was found by Dutch security vendor Secura's researcher Tom Tervoort.

While details of the "Zerologon" vulnerability were not released in August, Secura has now provided full details of the flaw.

Today, a proof of concept was published on Github by security researcher Dirk-jan Mollenma for the vulnerability, which has the full 10.0 out of 10 possible Common Vulnerability Scoring System (CVSS) severity rating.

The Zerologon flaw allows an attacker with a foothold on an internal Windows network to simply send a number of Netlogon messages, filling various fields with zeroes, and changing the Active Directory stored password of a Domain Controller.

Zerologon (CVE-2020-1472): 100% reliable Domain Admin privileges immediately from unauthenticated network access to DC. The most insane Windows Domain vulnerability ever. Original writeup from @SecuraBV with test-tool is here: https://t.co/6hNvMOrucI pic.twitter.com/M8RMB82ZOy

— an0n (@an0n_r0) September 14, 2020

"The attack has a huge impact: it basically allows any attacker on the local network (such as a malicious insider or someone who simply plugged in a device to an on-premise network port) to completely compromise the Windows domain," Tervoort wrote.

Ransomware criminals especially would be likely to exploit the Zerologon vulnerability.

Microsoft has now addressed the flaw which lies in the Netlogon cryptography system, and Tervoort's testing shows the Zerologon vulnerability does not work with the August patch applied.

Further tightening up of NRP will be done by Microsoft in February next year, when enforcement mode for the protocol will be turned on by default. 

This enables Secure NRP communications for devices which will require administrators to update equipment connecting to their networks, or to whitelist ones that do not support the more secure protocol.

Secura has also published a Python script on Github to test if a Domain Controller is vulnerable.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
domain controller microsoft netlogon secura security windows zerologon

Partner Content

COVID-19 has increased the price of used IT gear
Partner Content COVID-19 has increased the price of used IT gear
What is Chaos Engineering? The art of breaking things purposefully
Partner Content What is Chaos Engineering? The art of breaking things purposefully
Four reasons to upgrade your business to fibre internet
Partner Content Four reasons to upgrade your business to fibre internet
The push to move Teams users to cloud telephony
Sponsored Content The push to move Teams users to cloud telephony

Sponsored Whitepapers

Forrester's Asia Pacific Predictions 2021 Guide
Forrester's Asia Pacific Predictions 2021 Guide
Adopting a Next-Generation Data Security Approach
Adopting a Next-Generation Data Security Approach
How to be a SOAR winner
How to be a SOAR winner
3 steps to a well-rounded cybersecurity plan
3 steps to a well-rounded cybersecurity plan
Learn IT Service Management (ITSM) best practises
Learn IT Service Management (ITSM) best practises

Events

  • [Watch] Fulfilling the Promise of SD-WAN
  • On-Demand Webinar: How Poly and Microsoft are Embracing Future Work Environments
  • Live Event: A Paperless Business
  • Corporate Risk and Fraud Detection - How to protect payments from fraud, featuring fireside chat with Bank of New Zealand
  • Ceridian INSIGHTS - Experience the future of HR - Virtual Event
By Juha Saarinen
Sep 15 2020
11:49AM
0 Comments

Related Articles

  • 'ZeroLogon' hackers scan for unpatched servers
  • Legacy protocols used to bypass Microsoft 365 MFA
  • Windows Defender update takes out Citrix
  • Two exploited zero-days fixed in Patch Wednesday
Share on Twitter Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

NBN Co reveals first locations with an FTTN upgrade path to full fibre

NBN Co reveals first locations with an FTTN upgrade path to full fibre
NBN Co sets a low bar to qualify for a full-fibre upgrade

NBN Co sets a low bar to qualify for a full-fibre upgrade
Toll Group still mopping up after ransomware attacks

Toll Group still mopping up after ransomware attacks
TPG, Aussie Broadband seek longer-term price change from NBN Co

TPG, Aussie Broadband seek longer-term price change from NBN Co
You must be a registered member of iTnews to post a comment.
Log In | Register
All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of nextmedia's Privacy Policy and Terms & Conditions.