Windows Server flaw sparks emergency US gov warning

All government agencies had four days to patch their systems against a CVSS 10-rated elevation of privilege flaw

The discovery of a critical flaw in Windows Server that could allow a hacker to infiltrate an organisation’s network spurred US cyber security authorities to order all US agencies to patch their systems within four days.

The rare US Cybersecurity and Infrastructure Security Agency (CISA) directive, issued on 18 September, urged US government agencies to immediately patch the vulnerability tagged CVE-2020-1472 and rated 10.0 on the CVSS scale of severity. 

The bug, dubbed ‘Zerologon’, is a critical flaw in Windows Server that allows attackers to compromise an Active Directory domain controller and grant themselves administration privileges, according to security firm Secura

The flaw lies in Microsoft Windows Netlogon Remote Protocol (MS-NRPC), a core authentication component of Active Directory, and would only demand that an attacker has the power to set up TCP connections with a vulnerable domain controller. They wouldn’t require any domain credentials, and the vulnerability can be exploited to completely compromise all Active Directory identity services.

“By simply sending a number of Netlogon messages in which various fields are filled with zeroes, an attacker can change the computer password of the domain controller that is stored in the AD,” the Secura research said. “This can then be used to obtain domain admin credentials and then restore the original DC password. 

“This attack has a huge impact: it basically allows any attacker on the local network (such as a malicious insider or someone who simply plugged in a device to an on-premise network port) to completely compromise the Windows domain. The attack is completely unauthenticated: the attacker does not need any user credentials.”

The vulnerability was patched on 11 August, and applying the update is the best mitigation against the attack. Its severity, however, has sparked CISA into ordering US government agencies to update their systems by 21 September over fears they’re being sluggish in that process.

Related Resource

The definitive guide for choosing the right application delivery controller

Key considerations for an ADC

Download now

The patch that fixes Zerologon also implements additional measures that force domain-joined machines to use previously optional security features as part of the Netlogon remote protocol. 

Although the patch blocks most steps as part of the exploit mechanism, Windows will log warning events when, for example, devices exist in the domain. Administrators can also activate an “enforcement mode” which mandates Secure NRPC for all devices. 

A forthcoming patch in February next year aims to activate Secure NRPC by default, which may lead to some incompatibility issues with third-party devices and software. Administrators will then be required to update, decommission or whitelist devices that do not support Secure NRPC beforehand.

Featured Resources

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Evaluate your order-to-cash process

15 recommended metrics to benchmark your O2C operations

Download now

AI 360: Hold, fold, or double down?

How AI can benefit your business

Download now

Getting started with Azure Red Hat OpenShift

A developer’s guide to improving application building and deployment capabilities

Download now

Recommended

Weekly threat roundup: SAP, Windows 10, Chrome
vulnerability

Weekly threat roundup: SAP, Windows 10, Chrome

21 Jan 2021
Biden nominees highlight tough cyber security challenges
cyber security

Biden nominees highlight tough cyber security challenges

20 Jan 2021
Report: Security staff excluded from app development
cyber security

Report: Security staff excluded from app development

20 Jan 2021
Best MDM solutions 2020
mobile device management (MDM)

Best MDM solutions 2020

20 Jan 2021

Most Popular

Citrix buys Slack competitor Wrike in record $2.25bn deal
collaboration

Citrix buys Slack competitor Wrike in record $2.25bn deal

19 Jan 2021
How to recover deleted emails in Gmail
email delivery

How to recover deleted emails in Gmail

6 Jan 2021
SolarWinds hackers hit Malwarebytes through Microsoft exploit
hacking

SolarWinds hackers hit Malwarebytes through Microsoft exploit

20 Jan 2021