Blog / The Microsoft Zerologon Bug (CVE-2020-1472): How it Works, What it Does, and… oh, by the way, Apply the Update!
Microsoft recently issued an update for a severe bug in its operating system (CVE 2020-1472), which can be used to change any Active Directory account’s password. Easily too, the attack can be scripted to run in less than three seconds. Yes, the aggression is being actively exploited, as you read this.
The vulnerability stems from a communications’ protocol that Windows uses to talk back & forth between computers linked together in an Active Directory domain. The protocol itself is essentially undocumented (besides the fact that it exists.) Microsoft used the same approach as the designers of SCADA did, assuming their communications were secure, so long as they remained undocumented.
Why anyone thinks that is a good idea always surprises me. Such approach is only secure until someone decides to try and break it. If they succeed, maybe they will tell you, maybe not.
Anyway, to ensure communications are secure, there is a cryptographic aspect to all of this. Unfortunately, the cryptography was essentially broken and there are only 256 different combinations possible. From a manual human perspective, this is not difficult; from a machine standpoint, this is essentially worthless.
Now in Active Directory, you can login on any computer. Once you do so, you can do things like change your password. All of this is handled by the same communications’ protocol which sends those logins and password resets back to the Domain Controller for verification. So, pick an account and then fire off 256 different combinations of “Set Password on Account X to BLAH” and there you go.
Within a few seconds you could change the password on any account, without ever having to login in the first place. Once you have an account, get the list of users, and reset everyone’s password. So, in 5 minutes or less, you can lock every user out of the domain and do… well… anything, when you get down to it.
So, it’s a pretty big deal and a rather serious bug. It’s trivial to exploit and can be done from any machine. It doesn’t have to be connected to your Active Directory Forest; it just needs to be able to reach your Domain Controller. However, it’s not all necessarily bad news… there’s some good news too:
1) The attack only works if it is aimed at the Domain Controller
Rather than needing to patch a bunch of machines, you only need to mend your Domain Controllers. This makes the task of performing updates much easier. Even if you have multiple types of servers connected to Active Directory, the only ones you need to repair are the ones designated as Domain Controllers.
2) Microsoft has released a patch.
The patch corrects the problem in a couple of ways: First, it fixes the whole cryptographic issue (no more 256 possible combinations garbage.) Second, there is now an event log created when a communications attempt is rejected. So not only is the hole fixed, but you can tell if someone is trying to actively exploit it. The patch is available for the following Windows Server operating systems:
- 2008 SP 1
- 2012 R2
- Server Version 1903, 1909 & 2004
If your Domain Controller is any version of the operating systems above, I can only recommend you stop reading this newsletter immediately and apply the patch. If your Domain Controller is a different operating system, then no revamp is coming, and you need to replace it ASAP (sooner would even be better!)
A simple Google search will give you multiple Python and Powershell scripts that can be used to check if your Domain Controller is vulnerable to this attack. Such search will also find multiple Github repositories with working code that will exploit this vulnerability. Don’t think that the bad guys out there haven’t noticed because they have, and the number of attacks leveraging this vulnerability is increasing.
Mostly, my approach to patches (even critical ones) is that they can usually wait until the next scheduled maintenance window. Not always. Sometimes patches need to be installed now, like right now, as in immediately. Other times, a patch may needs a emergency, out-of-band installation, because the Security risks outweigh the interruption of people’s daily workflow. This is one of those times.
As the immortal bard, Will Shakespeare, once said: “Better three hours too soon, than a minute too late.”
If you have any questions about protecting yourself from Zerologon, please contact your TRINUS Account Manager for stress-free IT.
By Kind Courtesy of Your Friendly Neighbourhood Cyber-Man.