The Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive on Friday ordering federal agencies to implement a patch against the Zerologon vulnerability that could allow hackers to infect entire networks with malware. Â
The United States Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA) on Friday issued an emergency directive regarding a critically severe vulnerability affecting Windows Server OS.  CISA has issued an Emergency Directive (ED) 20-04Opens a new window , strongly recommending federal agencies and the private sector to patch the critical vulnerability — CVE-2020-1472 — which affects Microsoft Windows Netlogon Remote Protocol. Â
As per the directiveOpens a new window , “The vulnerability in Microsoft Windows Netlogon Remote Protocol (MS-NRPC), a core authentication component of Active Directory, could allow an unauthenticated attacker with network access to a domain controller to completely compromise all Active Directory identity services.â€
Disclosure of CVE-2020-1472Opens a new window , known as Zerologon vulnerability, along with a fix, was released under Microsoft’s August Patch Tuesday. CISA ordered all federal agencies to patch the vulnerability latest by midnight September 21. The vulnerability affects the Windows server’s NetLogon through a vulnerable Netlogon Remote Protocol (MS-NRPC). Researchers at Zero Security found that the vulnerability can also be exploited through Windows Server Message Block (SMB) protocols, which independent researcher Kevin BeaumontOpens a new window confirmed.
According to SecuraOpens a new window , the Zerologon vulnerability “allows an attacker with a foothold on your internal network to essentially become Domain Admin with one click. All that is required is for a connection to the Domain Controller to be possible from the attacker’s viewpoint.â€Â
This means the attacker doesn’t need authentication credentials to gain access to the domain controller of an unpatched system.
See Also: U.S. Veterans’ Personal Information Exposed in VA Data BreachOpens a new window
Upon exploitation, attackers can easily deploy malware, ransomware, or any other malicious program. The proof of concept for the exploitation of the Zerologon vulnerability was released only hours after Microsoft released the patch.Â
Yeah, I can confirm that this public exploit for Zerologon (CVE-2020-1472) works. Anybody who has not installed the patch from August’s Patch Tuesday already is going to be in much worse shape than they already were. pic.twitter.com/Lg8auMdtVUOpens a new window
— Will Dormann (@wdormann) September 14, 2020Opens a new window
CVE-2020-1472 is rated ‘critical’ in severity with a CVSS score of 10. Microsoft’s patch for the vulnerability was rolled out in a phased approachOpens a new window . It is currently in the Initial Deployment Phase, under which the company will continue to release updates. Â
The only other way to mitigate the threat posed by CVE-2020-1472, for those who have not patched their systems is by disconnecting the domain controllers altogether from the internet.
The Department of Homeland Security terms the risk posed by CVE-2020-1472 as ‘unacceptable’, and with good reason.
- The exploit code and PoC is available in the wild
- Vulnerable domain controllers are abundantly employed across federal networks
- There is a high potential for a compromise of federal agency systems
- A successful attack may prove to be catastrophic
- It’s been more than a month since the patch for the vulnerability was released, and still systems remain unpatched
See Also: Microsoft’s Long List of Patch Tuesday Includes 32 RCE Flaws
Ian Thornton-Trump, CISO at Cyjax told ForbesOpens a new window , “CVE-2020-1472 is probably going to get weaponized pretty quickly. If history is any judge, my money is on APT Fox Kitten, also known as Parasite, who since the summer of 2019 have managed within a window of a few weeks to start campaigns using targeted exploits.â€
However, so far, there are no reports about attacks against federal or private organizations.
Let us know if you liked this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!