In August 2020, Microsoft released security patches for a critical vulnerability CVE-2020-1472, also dubbed “Zerologon,” to be deployed on Active Directory domain controllers.
When attackers log in to a network, this vulnerability allows them to elevate their privileges to that of a domain administrator, giving them full control over a domain. This means an attacker who gets access to a workstation can gain full control of a network over a Windows domain, change user passwords and execute any commands.
The consequences of this vulnerability are said to be devastating, so much so that the U.S. government agency, Cybersecurity and Infrastructure Security Agency (CISA), released an Emergency Directive (ED) 20-04 last week addressing the vulnerability and urged all companies to apply the Windows Server August 2020 security update to all domain controllers.
What Exactly Is the Zerologon Vulnerability?
The CVE-2020-1472 vulnerability, discovered in the Microsoft Windows Netlogon Remote Protocol (MS-NRPC), which is a core authentication component of Active Directory, has a Common Vulnerability Scoring System (CVSS) score of 10.0. It is the result of a flaw in the cryptographic algorithm used in the Netlogon Remote Protocol authentication process. The protocol authenticates users and machines in domain-based networks. It also updates device passwords remotely. An attacker can spoof a successful login on a machine in a network, replace the password of a domain controller (a server that responds to security authentication requests within a Windows Server domain) and gain admin rights to it.
Microsoft Releases Updates for the Vulnerability
Due to the scope of the vulnerability, Microsoft announced in August 2020 that it would release updates in two phases – the Initial Deployment Phase and the Enforcement Phase. The Initial Deployment Phase started with the August 11, 2020 updates and will continue with more updates until the Enforcement Phase. The Enforcement Phase updates will be released on or after February 09, 2021.
As per a Microsoft support article, the Initial Deployment Phase updates
- Enforce secure remote procedure call (RPC) usage for machine accounts on Windows-based devices.
- Enforce secure RPC usage for trust accounts.
- Enforce secure RPC usage for all Windows and non-Windows domain controllers (DCs).
- Include a new group policy to allow non-compliant device accounts (those that use vulnerable Netlogon secure channel connections). Even when DCs are running in enforcement mode or after the Enforcement Phase starts, allowed devices will not be refused connection.
More information on the Initial Deployment Phase and Enforcement Phase updates and deployment guidelines can be found here.
Zerologon Vulnerability Affecting Compliance
Most industries have strict rules and regulations covering certain aspects of managing and securing privileged accounts that should be complied with and the Zerologon vulnerability essentially exploits this privileged access.
The most recommended solution for protecting privileged accounts is a Privileged Account Management (PAM) tool. A PAM tool restricts privileged access within an existing Active Directory environment by maintaining a separate bastion environment that is known to be unaffected by malicious attacks.
While implementing PAM is certainly a good practice, it is recommended that companies patch the Zerologon vulnerability immediately to protect their systems. You can also implement automated patching to keep Windows fully secure and up to date so as to reduce the chances of missing patches.
Kaseya VSA, a remote monitoring, endpoint and network management solution, enables you to automatically deploy Windows patches on all endpoints, including remote and off-network devices. It also supports native Windows patching and third-party application patching.
Kaseya also offers the Automation Exchange, a marketplace for sharing, buying and selling automation scripts (agent procedures). With over 600 listings and 11,000 users, the Automation Exchange has new entries for patching the Zerologon vulnerability – the Zerologon Registry Check and ZeroLogon Detection Script.
Leverage Automation Exchange’s massive library of ready-to-deploy scripts and patch your vulnerabilities on time. Learn more here.