The rather concerning design flaw in Microsoft's netlogon protocol is being exploited in the wild by miscreants, the Windows giant's security team has warned.
The mega-biz today confirmed it is seeing active attacks abusing the CVE-2020-1472 vulnerability, aka ZeroLogon, which can be exploited to bypass authentication and gain domain-level administrator access in corporate networks.
Microsoft is actively tracking threat actor activity using exploits for the CVE-2020-1472 Netlogon EoP vulnerability, dubbed Zerologon. We have observed attacks where public exploits have been incorporated into attacker playbooks.— Microsoft Security Intelligence (@MsftSecIntel) September 24, 2020
The protocol-level hole affects Windows Server and other software that implements MS-NRPC to provide domain controllers, such as Samba. The vulnerability has been given a sweat-inducing CVSS score of 10 out of 10 in severity.
As you're scrambling to patch the scary ZeroLogon hole in Windows Server, don't forget Samba – it's also affectedREAD MORE
Sysadmins can't say they weren't warned about this flaw and the urgent need to patch it. Microsoft emitted its fix for CVE-2020-1472 in the August Patch Tuesday bundle, and even back then experts were warning the flaw was a critical security risk and addressing it should be a high priority.
"It’s rare to see a critical-rated elevation-of-privilege bug," Trend Micro-ZDI's Dustin Childs said at the time, "but this one deserves it."
Things got real serious when binary-pokers began to post their proof-of-concept code to exploit the flaw. This prompted the US government's computer security agency CISA to take the rare step of issuing an emergency patch directive, urging everyone to install fixes for ZeroLogon when possible.
"This attack has huge impact," said CISA. "It basically allows any attacker on the local network (such as a malicious insider or someone who simply plugged a device to an on-premise network port) to completely compromise the Windows domain."
As noted above, installing the August Patch Tuesday bundle will clear up this vulnerability on Windows boxes at least, and protect servers from attack. Admins would be wise to scan their boxes for suspicious activity or any indicators of compromise, as at this point there is a chance machines, particularly those reachable from the internet, have already been exploited.
Microsoft, meanwhile, said it has additional recommendations for those using the Microsoft 365 suite. "Microsoft 365 customers can refer to the threat analytics report we published in Microsoft Defender Security Center," said the MICROS~1 team. "The threat analytics report contains technical details, mitigations, and detection details designed to empower SecOps to detect and mitigate this threat." ®