IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Windows Server flaw sparks emergency US gov warning

All government agencies had four days to patch their systems against a CVSS 10-rated elevation of privilege flaw

The discovery of a critical flaw in Windows Server that could allow a hacker to infiltrate an organisation’s network spurred US cyber security authorities to order all US agencies to patch their systems within four days.

The rare US Cybersecurity and Infrastructure Security Agency (CISA) directive, issued on 18 September, urged US government agencies to immediately patch the vulnerability tagged CVE-2020-1472 and rated 10.0 on the CVSS scale of severity. 

The bug, dubbed ‘Zerologon’, is a critical flaw in Windows Server that allows attackers to compromise an Active Directory domain controller and grant themselves administration privileges, according to security firm Secura

The flaw lies in Microsoft Windows Netlogon Remote Protocol (MS-NRPC), a core authentication component of Active Directory, and would only demand that an attacker has the power to set up TCP connections with a vulnerable domain controller. They wouldn’t require any domain credentials, and the vulnerability can be exploited to completely compromise all Active Directory identity services.

“By simply sending a number of Netlogon messages in which various fields are filled with zeroes, an attacker can change the computer password of the domain controller that is stored in the AD,” the Secura research said. “This can then be used to obtain domain admin credentials and then restore the original DC password. 

“This attack has a huge impact: it basically allows any attacker on the local network (such as a malicious insider or someone who simply plugged in a device to an on-premise network port) to completely compromise the Windows domain. The attack is completely unauthenticated: the attacker does not need any user credentials.”

The vulnerability was patched on 11 August, and applying the update is the best mitigation against the attack. Its severity, however, has sparked CISA into ordering US government agencies to update their systems by 21 September over fears they’re being sluggish in that process.

Related Resource

The definitive guide for choosing the right application delivery controller

Key considerations for an ADC

Download now

The patch that fixes Zerologon also implements additional measures that force domain-joined machines to use previously optional security features as part of the Netlogon remote protocol. 

Although the patch blocks most steps as part of the exploit mechanism, Windows will log warning events when, for example, devices exist in the domain. Administrators can also activate an “enforcement mode” which mandates Secure NRPC for all devices. 

A forthcoming patch in February next year aims to activate Secure NRPC by default, which may lead to some incompatibility issues with third-party devices and software. Administrators will then be required to update, decommission or whitelist devices that do not support Secure NRPC beforehand.

Featured Resources

Meeting the future of education with confidence

How the switch to digital learning has created an opportunity to meet the needs of every student, always

Free Download

The Total Economic Impact™ of IBM Cloud Pak® for Watson AIOps with Instana

Cost savings and business benefits

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

Technology reimagined

Why PCaaS is perfect for modern schools

Free Download


Best free malware removal tools 2022

Best free malware removal tools 2022

22 Jun 2022
A guide to cyber security certification and training
Careers & training

A guide to cyber security certification and training

16 Jun 2022
What is shoulder surfing?
social engineering

What is shoulder surfing?

10 Jun 2022
CIAM buyer’s guide

CIAM buyer’s guide

6 Jun 2022

Most Popular

How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

7 Jun 2022
Delivery firm Yodel disrupted by cyber attack
cyber attacks

Delivery firm Yodel disrupted by cyber attack

21 Jun 2022
Salaries for the least popular programming languages surge as much as 44%

Salaries for the least popular programming languages surge as much as 44%

23 Jun 2022