Zero logon Vulnerability: Instantly Become Domain Admin by Subverting Netlogon Cryptography

Zerologon is the name that was assigned to a vulnerability found in CVE-2020-1472. Due to the error in the log on method, it is called Zerologon, where the initialization vector (IV) is set to all zeros all the time, random numbers should still be an initialization vector (IV).

An emergency advisory urging civilian federal agencies to take immediate actions like patching or uninstalling all impacted Windows servers was issued by the Cybersecurity and Technology Security Agency and warned non-governmental organizations to do the same.

Tom Tervoort, a Dutch researcher- Security Expert who works for Secura, revealed the vulnerability in September 2020. In fact, in August, the vulnerability was patched, but it was not until the researcher released his paper in September that we began to see POCs and other events. In September 2020, Secura published an article exposing the Netlogon Remote Protocol flaw in Windows Server (all known versions). This weakness is known as Zerologon, or more generally, CVE-2020-1472.

In Microsoft’s Active Directory Netlogon Remote Protocol (MS-NRPC), this vulnerability exploits a cryptographic loophole that enables users to log on to servers that use NTLM (NT LAN Manager). The main issue with this flaw is that MS-NRPC is also used to transmit certain account changes, such as computer service account passwords. Looking back to its roots, the justification for introducing this function can be understood. Lack of authentication at the source of the request to modify these passwords has become a major security issue.

How the attack performs

This weakness enables a hacker to take ownership of a domain controller (DC) as well as the root DC. This is accomplished by modifying or deleting the password on the controller for a service account. Then the hacker will easily cause a denial of service or take over the whole network and own it.

They must be able to set up a TCP session with a DC for attackers to exploit this vulnerability. If they are physically within the network, they might be at a user’s desk or in a position such as a meeting room at an open port. These exploits count as insider attacks, today’s most costly attacks for a corporation. They can be set up from outside the network if they can obtain a foothold somewhere to create the controller’s TCP session.

Tervoort discovered that using AES-CFB8 with a set IV of 16 bytes of zeros. There is a chance that one of every 256 keys used will produce ciphertext with a value of all zeros. This is an incredibly limited number of keys to attempt to build ciphertext with all zeros for the attacker. For the hacker’s machine to do this, it will take only a matter of 2-3 seconds at most.

Systems Affected

According to the CERT-In Advisory, the device affected are as follows:

Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation also affected) 

Windows Server 2012 (Server Core installation also affected) 

Windows Server 2012 R2 (Server Core installation also affected) 

Windows Server 2016 (Server Core installation also affected) 

Windows Server 2019 (Server Core installation also affected) 

Windows Server, version 1903 (Server Core installation) 

Windows Server, version 1909 (Server Core installation)

Windows Server, version 2004 (Server Core installation)

Solution

In a gradual rollout, Microsoft is tackling this limitation. With the Windows upgrades launched on August 11, 2020, the initial rollout process begins. Updates would allow Domain Controllers (DCs) to protect Windows devices by default, to log non-compliant application discovery events, and to permit security with clear exceptions for all domain-joined devices.

The second phase, planned for a Q1 2021 release, marks the transition into the enforcement phase. The DC’s will be placed in enforcement mode, which requires all Windows and non-Windows devices to use secure Remote Procedure Call (RPC) with Netlogon secure channel or to explicitly allow the account by adding an exception for any non-compliant device.

Required Actions

Update the Domain Controller position on all Windows Servers by 11:59 PM EDT, Monday, September 21, 2020.

Apply the Security Update for August 2020 to all Windows Servers with the domain controller function. If it is necessary to upgrade the domain controllers affected, make sure they are deleted from the network. 

Ensure that technological and/or management controls are in place by 11:59 PM EDT, Monday, September 21, 2020, to ensure that newly provisioned or previously disabled domain controller servers are upgraded before they connect to organization networks.

CISA advises that organizations use several ways to ensure that the upgrade has been correctly introduced, in addition to organizations using their vulnerability testing software for this role.