Critical Zerologon bug uses weak cryptography to spoof network users

Microsoft addressed 26 vulnerabilities in 11 bulletins for its monthly Patch Tuesday release, and four of the bulletins are deemed critical. Read more
Zerologin exploits a flaw in the customized cryptographic protocol used by Netlogon to authenticate communications between a client and Windows domain server and update passwords. (Microsoft)more

Organizations should prioritize patching over detection when it comes to Zerologon, a recently disclosed privilege escalation vulnerability in Microsoft’s Windows server operating system.

The bug, which received a 10 out of 10 for severity by the Common Vulnerability Scoring System, exploits a flaw in the customized cryptographic protocol used by Netlogon to authenticate communications between a client and Windows domain server and update passwords.

In short, the attacker can spoof any computer or person on a network by leveraging weaknesses in Netlogon’s custom encryption protocol when a Windows server domain attempts to authenticate the client’s identity. This is because in certain instances when Netlogon uses the default AES encryption to generate a session key, it creates an Initialization Vector value made up of all zeros. For every 256 keys generated, researchers found that one on average will result in an all-zero ciphertext. Since there’s no limit on the number of invalid login attempts a client can make, an impersonator on the network could easily brute force challenges to the server over and over again until the parties settle on an all-zero key.

Tom Tervoort, a security researcher at Secura, noted that it only takes an attacker a few seconds to cycle through those 256 attempts until they get a key composed of all zeroes. From there, they can disable other security protocols like RPC signing and sealing, change the domain controller password and even gain admin privileges across an enterprise.

“This attack has a huge impact: it basically allows any attacker on the local network (such as a malicious insider or someone who simply plugged in a device to an on-premise network port) to completely compromise the Windows domain,” wrote Tervoort in a technical whitepaper on the flaw.

Adam Meyers, vice president of intelligence at CrowdStrike, told SC Media that an attacker would need to have an initial foothold into a victim network first – likely through commodity malware or a successful phishing attack – before exploiting the bug. But those who do have that access can substantially reduce their breakout time before moving laterally and compromising other systems and devices. Ransomware actors and other cyber criminals could find it a particularly attractive option to escalate their privileges across a network and deploy their payload before an organization even knows what hit them.

“This is something that will change the calculus of how fast an adversary can move,” he said.

Organizations across the public and private sector are moving to sound the alarm. Late Friday night, the Cybersecurity and Infrastructure Security Agency issued an emergency directive ordering civilian federal agencies to immediately patch or disable all affected Windows servers, and warned non-governmental organizations to do the same.

“Although the Emergency Directive only applies to…federal agencies, we strongly recommend that state and local government, the private sector, and the American public also apply this security update as soon as possible,” the agency tweeted out shortly after the directive was released.

Two organizations – including  Secura – have already developed and released Proof of Concept code, and Meyers said it will soon be incorporated into open source tools like Mimikatz that are a staple for many criminal hacker groups.

As a result, organizations should be focused on immediately updating to the latest operating system as opposed to setting up detection protocols, though that can also provide situational awareness and help identify an attacker on your network trying to exploit the flaw. Thankfully, Microsoft already issued a patch in August that allows Domain Controllers to protect Windows devices by default, and also adds new protections by logging any suspicious or warning events for vulnerable devices across the domain. A second patch will require all Windows and non-Windows devices to use secure Remote Procedure Call with Netlogon, but Microsoft is pushing that update until first quarter of 2021 to allow some vendors time to work out implementation issues.

Still, experts advise companies to move fast implementing the initial update.

“I think this is one of the [vulnerabilities] that is highly likely to be used by threat actors now, so I would not spend a lot of time waiting to patch,” said Meyers.

Derek B. Johnson

Derek is a senior editor and reporter at SC Media, where he has spent the past three years providing award-winning coverage of cybersecurity news across the public and private sectors. Prior to that, he was a senior reporter covering cybersecurity policy at Federal Computer Week. Derek has a bachelor’s degree in print journalism from Hofstra University in New York and a master’s degree in public policy from George Mason University in Virginia.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.