In August Microsoft revealed that its Windows Netlogon Remote Protocol (MS-NRPC) had a critical vulnerability. However, it wasn’t until last week that the first reports of cybercriminals actively attacking taking advantage of it appeared. This critical vulnerability has been called “Zerologon”, and it is very important that you patch your Windows if you do not want to have a serious security problem.
Microsoft’s security alert on Zerologon
Previously we have explained that the first information dates from August, but until the end of September the first attacks using Zerologon have not occurred . On Thursday, September 24, Microsoft on its official Twitter account began to alert about the problem. This communicated that the attackers had used the Zerologon vulnerability.
In addition, the company commented that there are already public exploits that attackers have incorporated into their arsenal of attacks on Windows servers. Microsoft recommended that customers immediately apply the security updates for CVE-2020-1472 .
The US Cybersecurity and Infrastructure Security Agency (CISA) heightened the sense of urgency with its own alert . It urged IT administrators to patch all domain controllers immediately. This indicates that it is a serious problem.
What is the Zerologon vulnerability
This security flaw affects Windows Server users. The cybersecurity company Secura was the one who gave it the vulnerability name Zerologon. If used by a cybercriminal, it could gain administrator privileges on a domain and have full control.
CVE-2020-1472 is an elevation of privilege vulnerability that exists in MS-NRPC. Netlogon is a core authentication component of Microsoft Active Directory. Additionally, Netlogon is a service provided by domain controllers to provide a secure channel between a computer and the domain controller. The Zerologon vulnerability has been assigned a CVSS rating of 10. Note that this rating is the highest possible severity rating for a software bug, which indicates its severity.
Reason it is a critical security flaw
Microsoft has commented that this Netlogon security flaw allows an unauthenticated attacker to use MS-NRPC to connect to a domain controller, and gain full administrator access.
The Zerologon vulnerability allows anyone to authorize and use this channel very easily, even from a non-domain machine.
What can happen if we don’t apply the patch right away
By not patching the Zerologon vulnerability, we are leaving our most critical assets unprotected from a real threat. In addition, we can affirm that it is not a theoretical error since attackers can actively use it against companies. In that sense, as we mentioned before, it must be remembered that this security flaw reached the highest score, and that there are public exploits to take advantage of them.
Microsoft’s August patch is not the definitive solution
Microsoft, to fix the Zerologon vulnerability, is going to issue two patches. The first, launched in August and now available, protects us against exploiting vulnerability. The second patch is scheduled for February 2021 with the goal of enforcing secure logins via remote procedure call (RPC) with Netlogon.
At this time the patch released by Microsoft enables security features that prevent Zerologon vulnerabilities from working. However, this does not fix the underlying service issues that will be permanently fixed with the second patch.
What companies can do to protect themselves
The first thing we have to do is have the patch for the Zerologon vulnerability installed. Right now, the only way to be fully protected against this security flaw is to identify domain controllers that are accessible over the Internet, apply patches to them, and follow Microsoft’s advice on how to enforce secure RPC connections.