Windows Server flaw sparks emergency US gov warning

All government agencies had four days to patch their systems against a CVSS 10-rated elevation of privilege flaw

The discovery of a critical flaw in Windows Server that could allow a hacker to infiltrate an organisation’s network spurred US cyber security authorities to order all US agencies to patch their systems within four days.

The rare US Cybersecurity and Infrastructure Security Agency (CISA) directive, issued on 18 September, urged US government agencies to immediately patch the vulnerability tagged CVE-2020-1472 and rated 10.0 on the CVSS scale of severity. 

The bug, dubbed ‘Zerologon’, is a critical flaw in Windows Server that allows attackers to compromise an Active Directory domain controller and grant themselves administration privileges, according to security firm Secura

The flaw lies in Microsoft Windows Netlogon Remote Protocol (MS-NRPC), a core authentication component of Active Directory, and would only demand that an attacker has the power to set up TCP connections with a vulnerable domain controller. They wouldn’t require any domain credentials, and the vulnerability can be exploited to completely compromise all Active Directory identity services.

“By simply sending a number of Netlogon messages in which various fields are filled with zeroes, an attacker can change the computer password of the domain controller that is stored in the AD,” the Secura research said. “This can then be used to obtain domain admin credentials and then restore the original DC password. 

“This attack has a huge impact: it basically allows any attacker on the local network (such as a malicious insider or someone who simply plugged in a device to an on-premise network port) to completely compromise the Windows domain. The attack is completely unauthenticated: the attacker does not need any user credentials.”

The vulnerability was patched on 11 August, and applying the update is the best mitigation against the attack. Its severity, however, has sparked CISA into ordering US government agencies to update their systems by 21 September over fears they’re being sluggish in that process.

Related Resource

The definitive guide for choosing the right application delivery controller

Key considerations for an ADC

Download now

The patch that fixes Zerologon also implements additional measures that force domain-joined machines to use previously optional security features as part of the Netlogon remote protocol. 

Although the patch blocks most steps as part of the exploit mechanism, Windows will log warning events when, for example, devices exist in the domain. Administrators can also activate an “enforcement mode” which mandates Secure NRPC for all devices. 

A forthcoming patch in February next year aims to activate Secure NRPC by default, which may lead to some incompatibility issues with third-party devices and software. Administrators will then be required to update, decommission or whitelist devices that do not support Secure NRPC beforehand.

Featured Resources

The complete guide to changing your phone system provider

Optimise your phone system for better business results

Download now

Simplify cluster security at scale

Centralised secrets management across hybrid, multi-cloud environments

Download now

The endpoint as a key element of your security infrastructure

Threats to endpoints in a world of remote working

Download now

2021 state of IT asset management report

The role of IT asset management for maximising technology investments

Download now

Recommended

Ryuk behind a third of all ransomware attacks in 2020
Security

Ryuk behind a third of all ransomware attacks in 2020

29 Oct 2020
REvil hacking group says it has made more than $100m in a year
Security

REvil hacking group says it has made more than $100m in a year

29 Oct 2020
36 billion personal records exposed by hacks in 2020 so far
Security

36 billion personal records exposed by hacks in 2020 so far

29 Oct 2020
Trump website defaced in second successive cyber breach
Security

Trump website defaced in second successive cyber breach

28 Oct 2020

Most Popular

Do smart devices make us less intelligent?
artificial intelligence (AI)

Do smart devices make us less intelligent?

19 Oct 2020
Politicians need to stop talking about technology
Policy & legislation

Politicians need to stop talking about technology

21 Oct 2020
Best MDM solutions 2020
mobile device management (MDM)

Best MDM solutions 2020

21 Oct 2020