Windows security updates should always be taken seriously, of that there is no doubt. But when the U.S. Department of Homeland Security, Cybersecurity and Infrastructure Security Agency (CISA) issues an emergency directive for a perfect 10, critical, Windows Server vulnerability, the urgency meter goes off the scale.
This is a vulnerability that could enable an attacker with network access to gain admin status by sending a string of zeros using the Windows Netlogon protocol. A vulnerability that, CISA said, must be assumed as being actively exploited in the wild.
Here’s what we know about the Zerologon exploit and what you need to do about it right now.
CISA doesn’t issue emergency directives unless there’s a serious cause for concern. The last time I reported on such a rare directive was back in July when government agencies were given just 24 hours to update, you guessed it, Windows Server.
This time around, they get the whole weekend until midnight on Monday, September 21, to get their patching in order.
CVE-2020-1472 is about as serious as it gets, hence the maximum 10 Common Vulnerability Scoring System (CVSS) rating and the critical severity that Microsoft has attached to it. The vulnerability itself opens the doors for an attacker already inside the network to access the Windows Server Active Directory domain controller.
The good news is that Microsoft has already issued a patch to fix the vulnerability itself in August.
The bad news is that code that demonstrates how to exploit unpatched systems has been released into the public domain.
This post-compromise exploit has been named Zerologon because it requires messages including strategically-placed strings of zeros to be sent using the Netlogon protocol. As long as the attacker can establish a connection with the domain controller on an unpatched system, no authentication is required to elevate privileges to the max and become an ‘instant admin.’
Emergency directive 20-04 requires federal agencies to comply with the “immediate and emergency action” that CISA has determined necessary to mitigate the “unacceptable risk” that the Zerologon exploit poses. That action being to “immediately apply the Windows Server August 2020 security update to all domain controllers,” and do so before September 22.
While this directive applies to executive branch departments and agencies, the CISA also “strongly recommends” that not only should local and state governments patch this critical vulnerability as a matter of urgency, but also the private sector.
“CVE-2020-1472 is probably going to get weaponized pretty quickly,” Ian Thornton-Trump, CISO at threat intelligence specialists Cyjax, says. “If history is any judge, my money is on APT Fox Kitten, also known as Parasite, who since the summer of 2019 have managed within a window of a few weeks to start campaigns using targeted exploits,” he warns.
Those exploit campaigns have targeted CVE-2019-11510, Pulse Secure VPNs, CVE-2018-13379, Fortinet VPN servers, CVE-2019-1579, Palo Alto Networks Global Protect VPNs, CVE-2019-19781, Citrix ADC servers, and CVE-2020-5902, F5 Networks ‘Big IP’ networking devices.
“Windows Server Zerologon is more of a lateral movement exploit than a front door or internet-facing vulnerability,” Thornton-Trump says, “so although APT groups will look at this as a great way to get onto servers, where all the cool data is, I can see it being devastating in the hands of cybercriminals.”
With many cybercrime and ransomware groups using toolsets like Mimikatz to grab admin privileges, security systems will see such activity and block it. “This vulnerability appears not to require a tool,” Thornton-Trump says, “so it may make the job of stealing and ransoming all your things on the server even quicker.” Like the Department of Homeland Security, Thornton-Trump advises that “whatever your threat model, be it APT, cyber-criminal or both, this is a good thing to fix ASAP.”
I have reached out to Microsoft for a statement and will update this article in due course.