Windows Server flaw sparks emergency US gov warning

All government agencies had four days to patch their systems against a CVSS 10-rated elevation of privilege flaw

The discovery of a critical flaw in Windows Server that could allow a hacker to infiltrate an organisation’s network spurred US cyber security authorities to order all US agencies to patch their systems within four days.

The rare US Cybersecurity and Infrastructure Security Agency (CISA) directive, issued on 18 September, urged US government agencies to immediately patch the vulnerability tagged CVE-2020-1472 and rated 10.0 on the CVSS scale of severity. 

The bug, dubbed ‘Zerologon’, is a critical flaw in Windows Server that allows attackers to compromise an Active Directory domain controller and grant themselves administration privileges, according to security firm Secura

The flaw lies in Microsoft Windows Netlogon Remote Protocol (MS-NRPC), a core authentication component of Active Directory, and would only demand that an attacker has the power to set up TCP connections with a vulnerable domain controller. They wouldn’t require any domain credentials, and the vulnerability can be exploited to completely compromise all Active Directory identity services.

“By simply sending a number of Netlogon messages in which various fields are filled with zeroes, an attacker can change the computer password of the domain controller that is stored in the AD,” the Secura research said. “This can then be used to obtain domain admin credentials and then restore the original DC password. 

“This attack has a huge impact: it basically allows any attacker on the local network (such as a malicious insider or someone who simply plugged in a device to an on-premise network port) to completely compromise the Windows domain. The attack is completely unauthenticated: the attacker does not need any user credentials.”

The vulnerability was patched on 11 August, and applying the update is the best mitigation against the attack. Its severity, however, has sparked CISA into ordering US government agencies to update their systems by 21 September over fears they’re being sluggish in that process.

Related Resource

The definitive guide for choosing the right application delivery controller

Key considerations for an ADC

Download now

The patch that fixes Zerologon also implements additional measures that force domain-joined machines to use previously optional security features as part of the Netlogon remote protocol. 

Although the patch blocks most steps as part of the exploit mechanism, Windows will log warning events when, for example, devices exist in the domain. Administrators can also activate an “enforcement mode” which mandates Secure NRPC for all devices. 

A forthcoming patch in February next year aims to activate Secure NRPC by default, which may lead to some incompatibility issues with third-party devices and software. Administrators will then be required to update, decommission or whitelist devices that do not support Secure NRPC beforehand.

Featured Resources

Choosing a collaboration platform

Eight questions every IT leader should ask

Download now

Performance benchmark: PostgreSQL/ MongoDB

Helping developers choose a database

Download now

Customer service vs. customer experience

Three-step guide to modern customer experience

Download now

Taking a proactive approach to cyber security

A complete guide to penetration testing

Download now

Recommended

A guide to cyber security certification and training
Careers & training

A guide to cyber security certification and training

22 Apr 2021
What is hacktivism?
hacking

What is hacktivism?

22 Apr 2021
Geico data breach leads to stolen driver’s license numbers
data breaches

Geico data breach leads to stolen driver’s license numbers

21 Apr 2021
UK’s IoT security regulation will also include smartphones
Internet of Things (IoT)

UK’s IoT security regulation will also include smartphones

21 Apr 2021

Most Popular

REvil threatens to release Apple’s hardware schematics
ransomware

REvil threatens to release Apple’s hardware schematics

21 Apr 2021
How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

8 Apr 2021
Samsung Galaxy S21 Ultra review: Ultra in every sense of the word
Mobile Phones

Samsung Galaxy S21 Ultra review: Ultra in every sense of the word

22 Apr 2021