Zerologon is a critical privilege escalation vulnerability affecting all Windows Server versions after hijacking its Domain Controllers (DC) in the Active Directory environment of an enterprise. A flaw in a cryptographic authentication scheme used by the Netlogon Remote Protocol (AES-CFB8) is responsible for this specific vulnerability.
The Netlogon Remote Protocol (NRPC) is a Remote Procedure Call (RPC) interface available on Windows Domain Controllers. It is used for various tasks such as to authenticate user and machine connections, most commonly to allow users to log in to servers using the New Technology LAN Manager (NTLM) protocol.
To trigger this vulnerability multiple Netlogon messages are sent to the Domain Controller, in which various fields are filled with zeroes. This leads to a complete takeover of the target Domain Controller. The attacker does not even require user credentials to initiate the attack.[/vc_wp_text][vc_wp_text]
Impact Analysis
Technical
- The attacker can change the computer password of the domain controller, once access is established.
- This can then be used to obtain domain admin credentials which is used to restore the original DC password.
- Zerologon allows an attacker to dump all user hashes into the target domain, including the hash of the KRBTGT account, which in turn induces a Golden Ticket attack.
Business
- Domain access to all verticals leading to complete takeover of the company infrastructure.
- Loss of client, business-sensitive data.
- Loss of reputation, goodwill and revenue shares.
- Massive financial losses, sprawling lawsuits.
Preventive Measures
- The patch released in August 2020 addresses CVE-2020-1472.
- Domain Controllers (both back-up and read-only) must install aforementioned patches.
- Deploy Domain Controller (DC) enforcement mode, which requires all Windows and non-Windows devices to use secure NRPC or to explicitly allow the account by adding an exception for any non-compliant device.
