Earlier this month, the DHS Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive about a critical vulnerability— CVE-2020-1472—that affected Microsoft Windows Netlogon Remote Protocol after proof-of-concept exploit code was publicly released. Microsoft has now issued a warning after hackers have been observed using exploits for the vulnerability in real world attacks.
The vulnerability, named Zerologon by Secura, is as bad as it gets, having been assigned the maximum CVSS v3 score of 10 out of 10. Exploiting the flaw would allow a remote, unauthenticated attacker with network access to a domain controller to elevate privileges to domain administrator and take full control of a domain and compromise all Active Directory identity services.
Microsoft released a patch to correct the flaw on August Patch Tuesday, but many organizations have been slow to apply the patch and remain vulnerable to attack. Further, not all systems are compatible with Microsoft’s fix.
Windows Server administrators are being strongly advised to apply the Microsoft patch to fix the Zerologon flaw immediately to prevent exploitation. If it is not possible to apply Microsoft’s security update, 0patch has also released fix for the Zerologon flaw.
The micropatch released by 0Patch was developed for Windows Server 2008 R2, which reached end-of-life in January 2020. 0Patch has also ported the patch to supported Windows versions in case Windows Server administrators cannot apply the Microsoft patch for some reason.
Samba has also released a patch to correct the flaw, as Samba relies on the Netlogon protocol. The patch should be applied on all vulnerable versions. Samba version 4.8 and above are unaffected, unless they have the smb.conf lines ‘server schannel = no’ or ‘server schannel = auto’. Samber versions 4.7 and below are vulnerable, unless they have ‘server schannel = yes’ in the smb.conf.