Windows Server flaw sparks emergency US gov warning

All government agencies had four days to patch their systems against a CVSS 10-rated elevation of privilege flaw

The discovery of a critical flaw in Windows Server that could allow a hacker to infiltrate an organisation’s network spurred US cyber security authorities to order all US agencies to patch their systems within four days.

The rare US Cybersecurity and Infrastructure Security Agency (CISA) directive, issued on 18 September, urged US government agencies to immediately patch the vulnerability tagged CVE-2020-1472 and rated 10.0 on the CVSS scale of severity. 

The bug, dubbed ‘Zerologon’, is a critical flaw in Windows Server that allows attackers to compromise an Active Directory domain controller and grant themselves administration privileges, according to security firm Secura

The flaw lies in Microsoft Windows Netlogon Remote Protocol (MS-NRPC), a core authentication component of Active Directory, and would only demand that an attacker has the power to set up TCP connections with a vulnerable domain controller. They wouldn’t require any domain credentials, and the vulnerability can be exploited to completely compromise all Active Directory identity services.

“By simply sending a number of Netlogon messages in which various fields are filled with zeroes, an attacker can change the computer password of the domain controller that is stored in the AD,” the Secura research said. “This can then be used to obtain domain admin credentials and then restore the original DC password. 

“This attack has a huge impact: it basically allows any attacker on the local network (such as a malicious insider or someone who simply plugged in a device to an on-premise network port) to completely compromise the Windows domain. The attack is completely unauthenticated: the attacker does not need any user credentials.”

The vulnerability was patched on 11 August, and applying the update is the best mitigation against the attack. Its severity, however, has sparked CISA into ordering US government agencies to update their systems by 21 September over fears they’re being sluggish in that process.

Related Resource

The definitive guide for choosing the right application delivery controller

Key considerations for an ADC

Download now

The patch that fixes Zerologon also implements additional measures that force domain-joined machines to use previously optional security features as part of the Netlogon remote protocol. 

Although the patch blocks most steps as part of the exploit mechanism, Windows will log warning events when, for example, devices exist in the domain. Administrators can also activate an “enforcement mode” which mandates Secure NRPC for all devices. 

A forthcoming patch in February next year aims to activate Secure NRPC by default, which may lead to some incompatibility issues with third-party devices and software. Administrators will then be required to update, decommission or whitelist devices that do not support Secure NRPC beforehand.

Most Popular

The benefits of workload optimisation

The benefits of workload optimisation

16 Jul 2021
Samsung Galaxy S21 5G review: A rose-tinted experience
Mobile Phones

Samsung Galaxy S21 5G review: A rose-tinted experience

14 Jul 2021
Google Cloud beefs up security following surge in ransomware attacks
cloud security

Google Cloud beefs up security following surge in ransomware attacks

21 Jul 2021