fb
Homepage 5 Blog 5 Zerologon Windows Vulnerability: What Is It and How to Tackle It?

Zerologon Windows Vulnerability: What Is It and How to Tackle It?

Manage remote endpoints, deploy software and patches with a robust cloud-based Action1 RMM solution. Start your 2-week trial or use free forever for up to 50 endpoints.



On top of dealing with a global pandemic and the challenges that working from home poses for IT administrators, the past few months have seen quite a few alarming vulnerabilities. One of the most critical was announced in August of this year and dubbed the Zerologon vulnerability. What is it and how can organizations ensure the remote workforce is patched and safe from Zerologon?

What is Zerologon Vulnerability?

Let’s consider the Zerologon vulnerability and see why this particular security risk is so alarming. The name Zerologon has been given to a security vulnerability that is detailed in CVE-2020-1472. The name Zerologon comes from the way the vulnerability works and the method used to exploit it. It was discovered by a Dutch security researcher named Tom Tervoort, working for Secura. The official CVE-2020-1472 states the following from Microsoft:

what is zerologon vulnerability action1 rmm blog

“An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network.

To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access. Microsoft is addressing the vulnerability in a phased two-part rollout. These updates address the vulnerability by modifying how Netlogon handles the usage of Netlogon secure channels.”

It describes a flaw in the logon process involving Microsoft’s Active Directory Netlogon Remote Protocol (MS-NRPC). This is the protocol that allows users to log on to servers using the NTLM (NT LAN Manager). While NTLM in itself is involved in several important mechanisms in Active Directory, it is also used to transmit account changes that also include computer service account passwords.

Today, while MS-NRPC uses AES encryption which is standard encryption considered to be strong, it uses a setting called AES-CFB8. This is an obscure standard that is not well tested and in fact, has an issue with the initialization vector (IV) using a fixed value of 16 bytes of zeros in a predictable number of attempts. This predictable pattern makes the cryptography easily broken.

How does the attack work and how would an attacker be able to compromise your network by using a proof of concept? The attacker would need to be inside the network at least in a way to set up a TCP session to one of your domain controllers. Most would achieve this if they have compromised a workstation on the internal LAN and were able to remotely access the workstation. Additionally, physical access to the network would also work, albeit would probably less likely than a remote attack.

Tom Tervoort found that when using AES-CFB8 with a fixed initialization vector (IV) of 16 bytes with all zeros, one in every 256 keys used will create a ciphertext that has a value of all zeros. In the world of hacking and exploitation, this is an incredibly small number of attempts to create a successful attempt that would generate all zeros cipher text.

Remotely Run PS Scripts
With the weak implementation of the initialization vector (IV) in MS-NRPC, it would take an attacker only 256 attempts to generate the right combination to exploit the vulnerability. Another issue comes from the way computer accounts work versus user accounts. With user accounts, the Active Directory password policies generally will lock out accounts after 3-5 incorrect login attempts. However, Active Directory password policies don’t apply to computer accounts. This means that an attacker can try an unlimited number of incorrect logins up to the 256 attempts needed to compromise an account for the computer using the Zerologon vulnerability. The attacker then carries out a few remaining tasks to complete the compromise:
  • Turn off “signing and sealing” to encrypt data in transit. This is easily accomplished by simply not setting the flag in the header of the MS-NRPC message.
  • Change the password for the account that has been spoofed, such as for a domain controller. By using the message NetServerPasswordSet2 in MS-NRPC, they change the password for the DC by simply sending a frame with the new preferred password. Most of the time, this will just be set to a blank password.
  • Login via normal processes.

Microsoft Security Patches for Zerologon

Microsoft is addressing Zerologon in two phases, starting with the patch’s initial deployment on August 11, 2020. The phases include the following:

Phase 1

Initial deployment of the Zerologon patch to domain controllers. These patches make changes to the Netlogon protocol to protect Windows devices by default, logs connections from non-compliant devices, and enable protections for domain-joined clients.

  • FullSecureChannelProtection registry key is added to domain controllers.
  • Notably, a new group policy will allow non-compliant device accounts to use vulnerable Netlogon secure channel connections, even when DCs are running in enforcement mode. After the enforcement phase, those associated with the new policy will not be refused connections to the environment.
  • During this phase, IT admins need to be monitoring for non-compliant connections and noting these in the event logs.
  • Log event IDs 5827 and 5828 in the System event log, if connections are denied.

Phase 2

This is known as the Enforcement Phase. Starting February 9, 2021, after this date, DCs will now be in enforcement mode regardless of the enforcement mode registry key. This will start enforcing the requirement for both Windows and non-Windows devices to use the new secure RPC with Netlogon secure channel.

  • Organizations can allow exceptions with the Domain Controller: Allow vulnerable Netlogon secure channel connections group policy.

Microsoft has outlined the following plan of action to address the vulnerability:

  • UPDATE your Domain Controllers with an update released August 11, 2020, or later.
  • FIND which devices are making vulnerable connections by monitoring event logs.
  • ADDRESS non-compliant devices making vulnerable connections.
  • ENABLE enforcement mode to address CVE-2020-1472 in your environment.

Patching Remote Windows Systems

While domain controllers are currently the recipient of the updates that adds the various functionality, Group Policy object, and registry keys to the DCs, there will no doubt be additional security updates and patches that will address various behaviors with the way clients interact with Active Directory across the board. With the majority of employees still working remotely due to the global pandemic since the first of this year, traditional patching solutions such as Windows Server Update Services (WSUS) are no longer able to provide effective patch management to remote clients.
With the various challenges associated with patching and maintaining remote systems as well as vulnerabilities such as Zerologon, organizations must pivot to remote, cloud-based patch management systems to effectively manage and maintain remote clients.
Remote Windows Patch management Systems action1 rmm

Action1 remote management and monitoring solution allow organizations to effectively keep remote clients patched and up-to-date, even with third-party software installations. The remote clients have no requirement to maintain a connection to a corporate network. The automated patching performed by Action1 software is totally cloud-based, so as long as the clients have connections to the Internet, they can be managed.

automated patching software action1

Action1 can also install updates for any third-party software installed on the remote client. This helps to ensure there are no vulnerabilities even from an installed software perspective.

By using cloud-based patch management, organizations can effectively keep business-critical remote systems patched effectively to help mitigate any compromise due to known vulnerabilities. Traditional patch management solutions like WSUS can no longer effectively manage Windows patching in environments where there are remote clients dispersed across numerous networks.

As the Zerologon vulnerability shows, critical vulnerabilities can expose business-critical environments and data to compromise. Cybersecurity breaches is certainly not a risk that organizations of any kind and size can take that are already challenged due to a global pandemic.

Check out Action1 here and see how it can help IT professionals to scale up IT infrastructure and optimize endpoint security effectively, manage and patch remote computers easily.

June 24, 2020

Related Articles

MSP Pricing Models Guide: Achieving MSP Profitability in 2021

MSP Pricing Models Guide: Achieving MSP Profitability in 2021

Managed IT services is one of the fastest-growing and most lucrative sectors of the business tech industry. The global IT services market is on track to hit $1.1 trillion by 2026, registering an 8.02 CAGR between 2021 and 2026. Although the managed IT market is...

Sure Strategies and Ways to Prevent Cyber Attacks

Sure Strategies and Ways to Prevent Cyber Attacks

Cybercriminals have been leveraging the latest in technology to plan and execute sophisticated cyberattacks. They use artificial intelligence, the Internet of things (IoT), bots, etc., to execute malware installations, ransomware infections, man-in-the-middle (MITM)...

About Action1 RMM

Action1 RMM is a cloud-based IT solution for remote monitoring and management, patching, and remote support.

Start your free two-week trial of Action1, or use RMM tools for free forever on 50 endpoints with no functionality limitations!



0 Comments

Submit a Comment

Your email address will not be published.

cloud patch management solutions action1

MSP Solution

Centralize endpoint management and boost efficiency of IT service delivery.

automated server patch management action compliance

Patch Management

Identify and deploy missing OS and third-party software updates.

cloud software deployment tools windows

Software Deployment

Distribute software and updates across managed endpoints.

software distribution tools software inventory action1

IT Asset Inventory

Keep a detailed inventory and manage hardware and software assets.

web client remote desktop

Remote Desktop

Support users via seamless remote desktop connection.

web based rdp client

Unattended Access

Provide administrative support and manage remote devices.

automated patch management action1

Endpoint Management

Run PowerShell, custom scripts, reboot computers and restart services.

API integrations action1

RESTful API

Integrate Action1 RMM to your IT ecosystem.

computer inventory tool for compliance

Reports and Alerts

Conduct endpoint security audits with comprehensive reporting.