Microsoft: Attackers Exploiting ‘ZeroLogon’ Windows Flaw

Microsoft warned on Wednesday that malicious hackers are exploiting a particularly dangerous flaw in Windows Server systems that could be used to give attackers the keys to the kingdom inside a vulnerable corporate network. Microsoft’s warning comes just days after the U.S. Department of Homeland Security issued an emergency directive instructing all federal agencies to patch the vulnerability by Sept. 21 at the latest.

DHS’s Cybersecurity and Infrastructure Agency (CISA) said in the directive that it expected imminent exploitation of the flaw — CVE-2020-1472 and dubbed “ZeroLogon” — because exploit code which can be used to take advantage of it was circulating online.

Last night, Microsoft’s Security Intelligence unit tweeted that the company is “tracking threat actor activity using exploits for the CVE-2020-1472 Netlogon vulnerability.”

“We have observed attacks where public exploits have been incorporated into attacker playbooks,” Microsoft said. “We strongly recommend customers to immediately apply security updates.”

Microsoft released a patch for the vulnerability in August, but it is not uncommon for businesses to delay deploying updates for days or weeks while testing to ensure the fixes do not interfere with or disrupt specific applications and software.

CVE-2020-1472 earned Microsoft’s most-dire “critical” severity rating, meaning attackers can exploit it with little or no help from users. The flaw is present in most supported versions of Windows Server, from Server 2008 through Server 2019.

The vulnerability could let an unauthenticated attacker gain administrative access to a Windows domain controller and run an application of their choosing. A domain controller is a server that responds to security authentication requests in a Windows environment, and a compromised domain controller can give attackers the keys to the kingdom inside a corporate network.

Scott Caveza, research engineering manager at security firm Tenable, said several samples of malicious .NET executables with the filename ‘SharpZeroLogon.exe’ have been uploaded to VirusTotal, a service owned by Google that scans suspicious files against dozens of antivirus products.

“Given the flaw is easily exploitable and would allow an attacker to completely take over a Windows domain, it should come as no surprise that we’re seeing attacks in the wild,” Caveza said. “Administrators should prioritize patching this flaw as soon as possible. Based on the rapid speed of exploitation already, we anticipate this flaw will be a popular choice amongst attackers and integrated into malicious campaigns.”

CISA orders federal agencies to implement Zerologon fix by Monday

If you had any doubts about the criticality of the Zerologon vulnerability (CVE-2020-1472) affecting Windows Server, here is a confirmation: the US Cybersecurity and Infrastructure Security Agency (CISA) has issued on Friday an emergency directive instructing federal agencies to “immediately apply the Windows Server August 2020 security update to all domain controllers” – and to do so by the end of Monday (September 21).

CISA Zerologon

“If affected domain controllers cannot be updated, ensure they are removed from the network,” CISA advised.

To make sure the order has been complied with, the agency asks department-level Chief Information Officers (CIOs) or equivalents to submit completion reports by Wednesday.

About the vulnerability

Security updates fixing CVE-2020-1472, a privilege elevation vulnerability in the Netlogon Remote Protocol (MS-NRPC), were provided by Microsoft in August, and the researchers who discovered the bug revealed more technical information about it last week.

That release was followed by the publication of a slew of PoC exploits.

Zerologon’s severity stems from the fact that it can be leveraged by an unauthenticated attacker with network access to a domain controller to impersonate any domain-joined computer, including a domain controller.

“Among other actions, the attacker can set an empty password for the domain controller’s Active Directory computer account, causing a denial of service, and potentially allowing the attacker to gain domain administrator privileges. The compromise of Active Directory infrastructure is likely a significant and costly impact,” CERT/CC says.

The risk

“CISA has determined that this vulnerability poses an unacceptable risk to the Federal Civilian Executive Branch and requires an immediate and emergency action,” the agency noted in the emergency directive.

“This determination is based on the following: the availability of the exploit code in the wild increasing likelihood of any upatched domain controller being exploited; the widespread presence of the affected domain controllers across the federal enterprise; the high potential for a compromise of agency information systems; the grave impact of a successful compromise; and the continued presence of the vulnerability more than 30 days since the update was released.”

State and local governments should heed this call as well, not to mention organizations in the private sector.

We’re still to hear about the vulnerability being actively exploited in the wild, but it’s just a matter of time until attackers gain the ability to leverage it and start doing it.

Are your domain controllers safe from Zerologon attacks?

CVE-2020-1472, a privilege elevation vulnerability in the Netlogon Remote Protocol (MS-NRPC) for which Microsoft released a patch in August, has just become a huge liability for organizations that are struggling with timely patching.

Secura researchers – the very same ones who found and disclosed the flaw to Microsoft – have published additional technical details on Monday, and just a few hours later several PoC exploit/tools have been published on GitHub.

CVE-2020-1472

About CVE-2020-1472

CVE-2020-1472 (aka Zerologon) affects all supported Windows Server versions, but the danger is highest for servers that function as Active Directory domain controllers in enterprise networks.

The vulnerability stems from a flaw in a cryptographic authentication scheme used by the Netlogon Remote Protocol.

“By simply sending a number of Netlogon messages in which various fields are filled with zeroes, an attacker can change the computer password of the domain controller that is stored in the AD. This can then be used to obtain domain admin credentials and then restore the original DC password,” Secura researchers explained.

“This attack has a huge impact: it basically allows any attacker on the local network (such as a malicious insider or someone who simply plugged in a device to an on-premise network port) to completely compromise the Windows domain. The attack is completely unauthenticated: the attacker does not need any user credentials.”

“In a hypothetical attack, one could use this vulnerability to deploy ransomware throughout an organization and maintain a persistent presence if cleanup and restoration efforts miss any additional malicious scripts,” Tenable security response manager Ryan Seguin noted.

“Organizations with network-accessible backups could end up with a perfect storm if a ransomware group destroys backups to increase their likelihood of payout from the victim organization.”

Exploitation

Many PoC exploits have been released security researchers in the past day (1, 2, 3, 4), and the effectiveness of some of them has been confirmed:

Secura researchers published a Python script organizations can used to check whether a domain controller is vulnerable or not.

Remediation

Systems that have received the patch released in August are safe from attack, as it enforces secure NRPC for all Windows servers and clients in the domain. All Active Directory domain controllers should be updated, including read-only domain controllers.

“The updates will enable the Domain Controllers (DCs) to protect Windows devices by default, log events for non-compliant device discovery, and have the option to enable protection for all domain-joined devices with explicit exceptions,” Microsoft explained.

But complete remediation will happen after organizations deploy Domain Controller (DC) enforcement mode, which requires all Windows and non-Windows devices to use secure NRPC or to explicitly allow the account by adding an exception for any non-compliant device.

While organization can deploy DC enforcement mode immediately by enabling specific registry key, on February 9, 2021, DCs will be placed in enforcement mode automatically.

This phased rollout is due to the fact that there are many non-Windows device implementations of the Netlogon Remote Protocol, and vendors of non-compliant implementations have been given enough time to provide customers with the needed updates.

Windows users under attack via two new RCE zero-days

Attackers are exploiting two new zero-days in the Windows Adobe Type Manager Library to achieve remote code execution on targeted Windows systems, Microsoft warns.

Windows zero-days

The attacks are limited and targeted, the company noted, and provided workarounds to help reduce customer risk until a fix is developed and released.

More about the new Windows zero-days

According to the security advisory published on Monday, the vulnerabilities arise from the affected library’s improper handling of a specially-crafted multi-master font – Adobe Type 1 PostScript format.

“There are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially crafted document or viewing it in the Windows Preview pane,” the company shared, and said that the Outlook Preview Pane is not an attack vector for this vulnerability.

The flaws affect:

  • Windows 10
  • Windows 8.1
  • Windows 7
  • Windows RT 8.1
  • Windows Server 2008
  • Windows Server 2008 R2
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows 2016
  • Windows Server 2019
  • Windows Server, version 1803
  • Windows Server, version 1903
  • Windows Server, version 1909

“For systems running supported versions of Windows 10 a successful attack could only result in code execution within an AppContainer sandbox context with limited privileges and capabilities,” Microsoft added.

Mitigations and workarounds

Enhanced Security Configuration, which is on by default on Windows Servers, does not mitigate the vulnerabilities.

Offered workarounds include disabling the Preview Pane and Details Pane in Windows Explorer, disabling the WebClient service, and renaming the ATMFD.DLL file. Microsoft explains how to do all that and the impacts of these workarounds in the security advisory.

The company did not offer more details about the attacks nor did it say when the security updates will be released, but has noted that to receive them for Windows 7, Windows Server 2008, or Windows Server 2008 R2 users will have to have an Extended Security Updates (ESU) license.

Wormable Windows SMBv3 RCE flaw leaked, but not patched

Yesterday, when Microsoft released its regular Patch Tuesday fixes, Cisco Talos and Fortinet inadvertently(?) also published information about CVE-2020-0796, a “wormable” vulnerability in the Microsoft Server Message Block (SMB) protocol that has yet to be fixed.

CVE-2020-0796

Cisco Talos has since removed the entry but, a few hours later, Microsoft published an advisory offering more information and workarounds to be implemented until a fix is made available.

About CVE-2020-0796

CVE-2020-0796 is a remote code execution vulnerability in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests.

“An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target SMB Server or SMB Client,” Microsof explained.

“To exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 Server. To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it.”

The vulnerability is not being actively exploited and was discovered internally by Microsoft.

Unlike the Microsoft Windows SMB Server flaws used by the EternalBlue and EternalRomance exploits, which were leveraged for the 2017 WannaCry and NotPetya outbreaks, CVE-2020-0796 only affects SMBv3 and, therefore, does not affect Windows 7 and Windows Server 2008 R2 systems.

According to Microsoft’s advisory, it affects Windows 10 (versions 1903 and 1909) and Windows Server (1903 and 1909).

What to do?

Microsoft advised admins to:

  • Disable SMBv3 compression to block unauthenticated attackers from exploiting the vulnerability against an SMBv3 Server
  • Block TCP port 445 at the enterprise perimeter firewall (since it is used to initiate a connection with the affected component). This action will not stop attacks from within their enterprise perimeter.

There is currently no workaround for mitigating the danger for SMB clients.

I’d say that Microsoft will be rushing to deliver a patch soon to head off attackers who are likely already trying to unearth the flaw.

For the moment, there are no PoC exploits or full exploits available online.