Microsoft’s Patch Tuesday today patches one of the worst vulnerabilities ever reported to the company: Zerologon, which earned a 10/10 score on the Common Vulnerability Scoring System, and allows remote takeover of any Windows network using Active Directory.
Update Your Windows Servers ASAP
The vulnerability resides in Netlogon, a process which authenticates users against domain controllers, used for logging in to Windows networks.
The bug takes advantage of some weak cryptographic protocols used internally in Netlogon, allowing attackers to append zero-data to requests and exploit the program. This allows attackers to:
- Change arbitrary passwords on the domain controller’s Active Directory.
- Impersonate the identity of other computers on the network.
- Disable security features in the Netlogon process.
This is definitely worthy of the 10/10 critical score. It allows the attacker to authenticate as any user, change passwords and take over the entire domain controller itself, and instantly become the domain admin by completely subverting all the cryptography usually used to check passwords.
Needless to say, you should update your Windows servers today.
The attack is also fairly simple to pull off, as it’s simply filling specific message parameters with zeros, and trying the handshake multiple times to set an empty password on the domain controller, shown here in a graph from Secura’s whitepaper on the vulnerability:
To actually exploit the vulnerability, attackers would need to be on the local network, which at least rules out the disaster scenario of this happening through a vulnerable web interface. But, it can be done by any computer on the network, regardless of privilege, so it’s still very impactful.