Zerologon

Zerologon still dangerous

The uproar surrounding the security vulnerability CVE-2020-1472, known as "Zerologon", is not dying down, but picking up even more speed. Microsoft discovered that the vulnerability - categorised as severity 10 out of 10 according to the CVSS score - is now being actively exploited by professional cybercrime groups. It allows attackers to take over domain controllers.

What is Zerologon anyway?

The term Zerologon is the name given to a highly critical vulnerability in CVE-2020-1472. The vulnerability was given the name Zerologon due to the error in the login process, in which the initialisation vector is constantly set to zeros whereby such a vector should always consist of random numbers. The vulnerability is located in the Microsoft Windows Netlogon Protocol (MS-NRPC) implementation of the Windows Server. Specifically, this is a gap in the cryptography of the Microsoft Netlogon process, which enables an attack on the Microsoft Directory Domain Controller (DC). Meaning: It is possible for hackers to impersonate any computer, including the root DC.

Initialisation vector is set to zeros

How long has the vulnerability been known?

Since August 2020 the security vulnerability CVE-2020-1472 has been known and detailed technical information about the critical vulnerability was published on 11 September 2020. We reported on the vulnerability shortly afterwards with valuable tips on the protective measures taken so far. In August 2020, Microsoft released a patch for Zerologon. The patch released is not yet a universal solution to the problem. Therefore, Microsoft plans to release a second phase of the patch in early February 2021 in which signing and sealing will also be mandatory.

How does the Zerologon attack work?

Hackers are able to take control of a domain controller, including the root DC, by changing or removing the password of a service account on the controller - this procedure is known as spoofing an identity . This can then cause a denial-of-service attack or even take over the entire network.

In order for this vulnerability to be exploited, it must be possible for attackers to set up a TCP session with a DC . It does not matter whether the attackers are physically inside the network - known as an insider attack - or outside, as long as they are able to establish such a session with the controller. The hacker must first falsify the credentials or password of the client in the network . Due to the poor implementation of the initialisation vector within MS-NRPC, this only requires around 256 attempts. The account is blocked after three failed attempts? This rule does not apply to computer or machine accounts, as there is no limit for incorrect password attempts for computer logins. Hackers therefore only need to find a key that results in a ciphertext of zero.

The fatal thing about this: The attack can be carried out in just a few seconds.

After this, the attackers disable the RPC signing and sealing mechanism. This mechanism is used for transport encryption within the MS-NRPC. Once signing and sealing has been switched off, the messages are sent in plain text and attackers have the opportunity to take any action they wish.

In order to falsify the identity of a device - preferably the AD server or root AD server for hackers - the password must be changed. To do this, they use the NetServerPasswordSet2 message in MS-NRPC. If the password is changed, removed or set to an empty value, the hacker can log in via the normal process.

What protective measures should be taken?

Users are strongly advised to read the install security updates on all Windows servers used as domain controllers.
In this Microsoft support article you can find more tips on how to protect yourself.
Trend Micro has provided additional protection layers in the form of IPS rules and TippingPoint filters.