As Microsoft has released a critical security updates/patch for Netlogon Elevation of Privilege vulnerability [CVE-2020-1472] which is also known as zerologon. Now, the bad threat actors are using this vulnerability to gain an unauthorized access as a domain administration to take down the domain itself by the targeting the windows servers which hasn't been patched yet.
So, let us first understand what is Netlogon ?
Netlogon is a service which maintains the channel between the computer and the domain controller for authenticating the users and services. It verifies NTLM (NET LAN MANAGER) logon request and locate, register and authenticates domain controllers at the time of logon.
NOTES: NTLM is a Microsoft authentication protocol which enables a user on the window domain to authenticate with a website through the browser.
VULNERABILITY IMPACTS:
One of the cybersecurity firm known as secura who has discovered this flaw has clearly mentioned that this vulnerability has a huge impact which allows any attacker on the local network (such as a malicious insider or someone who simply plugged in a device to an on-premise network port) to completely compromise the Windows domain with out any user credentials or without any authentication.
HOW THIS FLAW CAN BE EXPLOITED ?
When any users login to a windows device on a domain it uses the MS-NRPC over RPC to communicate with the domain controller for authenticating the users.While authentication are sensitive, windows sends the authentication requests over an encrypted RPC connection that can be utilized to force domain controllers to fall back to an unencrypted RPC communication then the attackers can use cryptographic negotiation algorithm to try and spoof a successful login and can get into the system as a domain administration.
MITIGATION:
- Update your Domain Controllers with an update released Aug 11, 2020 and Sept 28, 2020.
- Find which devices are making vulnerable connections by monitoring event logs.
- Address non-compliant devices making vulnerable connections.
- Enable enforcement mode to address CVE-2020-1472 in your environment.
- Supervise either your domain controller is vulnerable or not by using the freely available securaBV tool devloped by secura itself.
Thankyou,
Author - Saroj Khadka
Follow us on:
Comments
Post a Comment