ZeroLogon - Microsoft silently patches CVSS 10/10 vulnerability

[rcmaehl]

Summary

Microsoft secretly patched one of the most severe Windows Vulnerabilities ever last month.

 

Media (Click to Enlarge)

 

Quotes

Quote

Last month Microsoft patched one of the most severe bugs ever reported to the company, an issue that could be abused to easily take over Windows Servers running as domain controllers in enterprise networks. POatched in the August 2020 Patch Tuesday under the identifier of CVE-2020-1472. It was described as an elevation of privilege in Netlogon. The vulnerability received the maximum severity rating of 10, but details were never made public. The team at Secura B.V., a Dutch security firm, has finally lifted the veil from this mysterious bug and published a technical report describing CVE-2020-1472 in greater depth. And per the report, the bug is truly worthy of its 10/10 CVSSv3 severity score. The bug... takes advantage of a weak cryptographic algorithm used in the Netlogon authentication process. This bug allows an attacker to manipulate Netlogon authentication procedures and:

• impersonate the identity of any computer on a network when trying to authenticate against the domain controller
• disable security features in the Netlogon authentication process
• change a computer's password on the domain controller's Active Directory (a database of all computers joined to a domain, and their passwords)

There are limitations to how a Zerologon attack can be used. For starters, it cannot be used to take over Windows Servers from outside the network. An attacker first needs a foothold inside a network. However, when this condition is met, it's literally game over for the attacked company. The entire attack is very fast and can last up to three seconds, at most. In addition, there are no limits to how an attacker can use the Zerologon attack. For example, the attacker could also pose as the domain controller itself and change its password, allowing the hacker to take over the entire corporate network. Patching Zerologon was no easy task for Microsoft, as the company had to modify how billions of devices are connecting to corporate networks, effectively disrupting the operations of countless of companies. This patching process is scheduled to take place over two phases. The first one took place last month, when Microsoft released a temporary fix. This temporary patch made the Netlogon security features (that Zerologon was disabling) mandatory for all Netlogon authentications, effectively breaking Zerologon attacks. Nonetheless, a more complete patch is scheduled for February 2021, just in case attackers find a way around the August patches. Unfortunately, Microsoft anticipates that this later patch will end up breaking authentication on some devices. Secura has not released proof-of-concept code for a weaponized Zerologon attack, but the company expects that these will eventually surface after its report spreads online today.

 

My thoughts

Big Yikes? Mega oof? I don't think I have fresh lingo hot enough to express how bad this is. 10/10 is about as severe as it gets vulnerability wise. Thankfully a patch has been pushed out to everything back to 2008 and server owners are usually quick to update for security patches. Regardless, we may still see some breaches and attacks due to this exploit now that it's essentially public.

 

Sources

ZDNet (quote source)
Microsoft

@leadeater for being lazy

Edited September 15, 2020 by Spotty
Changed title

[Oshino Shinobu]

RIP companies using Server 2008 R2 without ESU licensing. 

[TempestCatto]

Damn that title hittin me hard tho. I got all those things x10 per square mm on me

[CarlBar]

I suspect the various server admins who are members of this forum, (like @leadeater), are busy engaging in internal and external screaming at this. Even with my nigh non-existent networking knowledge i can follow along well enough to realise how insane this is.

[themaniac]

2 hours ago, TempestCatto said:

Damn that title hittin me hard tho. I got all those things x10 per square mm on me

well 0 x 10 is 0 so i'd say your doing pretty good about those

[leadeater]

3 hours ago, CarlBar said:

I suspect the various server admins who are members of this forum, (like @leadeater), are busy engaging in internal and external screaming at this. Even with my nigh non-existent networking knowledge i can follow along well enough to realise how insane this is.

Nope, we already patched so it was a round of high fives 

[Kisai]

4 hours ago, CarlBar said:

I suspect the various server admins who are members of this forum, (like @leadeater), are busy engaging in internal and external screaming at this. Even with my nigh non-existent networking knowledge i can follow along well enough to realise how insane this is.

I'm hoping they just send us a new domain controller machine.

[Sir Asvald]

6 hours ago, Oshino Shinobu said:

RIP companies using Server 2008 R2 without ESU licensing. 

Oh boy. My last place of work they had over 20 servers still using 2008 R2. I still keep in contact with some of guys I worked with and they managed to only migrate 5 of the 20 servers, only reason is because of Rona. But, I don't know why It has taken them so long.

[leadeater]

1 hour ago, Kisai said:

I'm hoping they just send us a new domain controller machine.

Why, there is a patch so just apply that. Unless there is a reason to replace it?

[leadeater]

1 hour ago, Sir Asvald said:

Oh boy. My last place of work they had over 20 servers still using 2008 R2. I still keep in contact with some of guys I worked with and they managed to only migrate 5 of the 20 servers, only reason is because of Rona. But, I don't know why It has taken them so long.

Spoiler

We still have a couple of Server 2003, shhhhh

 

[CarlBar]

4 hours ago, leadeater said:

  Reveal hidden contents

We still have a couple of Server 2003, shhhhh

 

 

This isn;t really funny but somehow it still made me smile. Also cool on the high fives.

[Doobeedoo]

Always big yikes when such critical and old vulnerability surfaces. Patched so good.

[Sir Asvald]

On 9/15/2020 at 9:07 AM, leadeater said:

  Hide contents

We still have a couple of Server 2003, shhhhh

 

WTF?! WHY?!

 

 

[FakeNSA]

16 hours ago, Sir Asvald said:

WTF?! WHY?!

 

 

Because money.
Migrating, especially if it involves purchasing new software (or new 20-50-200k scientific equipment), can be stupidly expensive and time consuming. Mind you, REDACTED isn't ideal, but we have multiple XP and I think one vista machine at work, just not connected to the network.

[Sir Asvald]

5 hours ago, FakeNSA said:

Because money.
Migrating, especially if it involves purchasing new software (or new 20-50-200k scientific equipment), can be stupidly expensive and time consuming. Mind you, REDACTED isn't ideal, but we have multiple XP and I think one vista machine at work, just not connected to the network.

Of course it will cost a lot of money for new hardware and software. But those servers are probably costing them a lot of money just to keep them running.

 

Damn, what are the uses for the XP and Vista PCs? Special software?

[Mark Kaine]

7 hours ago, Sir Asvald said:

Of course it will cost a lot of money for new hardware and software. But those servers are probably costing them a lot of money just to keep them running.

 

Damn, what are the uses for the XP and Vista PCs? Special software?

I used to work at a place that produces (highly modern) electronical equipment (also for US government and Microsoft of all things) and they still used happily XP and Vista on the majority of "test units" , connected to the internet and all... only the chief executives had windows 10 basically. When I asked them why they just were like "too expensive"...  (this was like 2 or 3 years ago)

 

 

Tldr: I think this is far more common than you think.

[StDragon]

Windows sysadmin here - It's not a matter of "if", it's "when" this will be rolled up into ransomware suites. This is so bad, that Microsoft will be under PR pressure to release -for free- an update for 2008 R2 regardless of the fact it's EOL and you don't have extended support. The damage this could cause it incalculable at this point. If they didn't, I would imagine Microsoft executives being dragged before US Congress if this thing got out of hand.

[FakeNSA]

8 hours ago, Sir Asvald said:

Of course it will cost a lot of money for new hardware and software. But those servers are probably costing them a lot of money just to keep them running.

 

Damn, what are the uses for the XP and Vista PCs? Special software?

Mostly the reasons I gave above, but yeah, special software connected to stupendously expensive equipment. You going to throw away a 200 grand (or more) electron microscope because it doesn’t run on windows 10?

[wanderingfool2]

28 minutes ago, StDragon said:

Windows sysadmin here - It's not a matter of "if", it's "when" this will be rolled up into ransomware suites. This is so bad, that Microsoft will be under PR pressure to release -for free- an update for 2008 R2 regardless of the fact it's EOL and you don't have extended support. The damage this could cause it incalculable at this point. If they didn't, I would imagine Microsoft executives being dragged before US Congress if this thing got out of hand.

Honestly, the only real reason I could see Microsoft patching this would be due to them padding with zero's which was what allowed this attack to happen.

 

8 hours ago, Sir Asvald said:

Of course it will cost a lot of money for new hardware and software. But those servers are probably costing them a lot of money just to keep them running.

 

Damn, what are the uses for the XP and Vista PCs? Special software?

Virtualization.  While it's not ideal, you can get NT 4.0 running in a virtualized environment. Not that it's recommended, but it is what it is (software that would cost too much to replace given that it would need to be rewritten and re-tested...at least 50-60k which isn't practical and the fact that new software would need to be licensed which changed from a perpetual license to a per user yearly license...so that would have an added cost of 10k a year).

 

Sometimes it's just cheaper running the old stuff and making sure only limited things see/access it.

[Vishera]

On 9/14/2020 at 11:30 PM, rcmaehl said:

Oh s**t,

I am glad that usually my Server isn't connected to the internet...

 

Just replace everything with Zeroes...

They should not have gone public with it,it's too easy to execute and can cause extremely high damage.

[jagdtigger]

2 minutes ago, Vishera said:

They should not have gone public with it,it's too easy to execute and can cause extremely high damage.

I think they totally should, its one more evidence of MS's incompetence. What kind of moron would let a client unlimited tries to auth?

[wanderingfool2]

7 minutes ago, jagdtigger said:

I think they totally should, its one more evidence of MS's incompetence. What kind of moron would let a client unlimited tries to auth?

The worst bit here was they padded with zero's on an implementation that should have used random padding.  Had that hadn't happened it actually would be a lot harder to exploit it.  To that regard, cryptography is a difficult thing one innocent mistake during implementation can bring the entire thing down.  There are lots of examples of mistakes being made by large corporations.  *Spoofing comes to mind to causing a dos attack comes to mind in terms of limiting tries*  This mistake could literally boil down to one programmer padding without the understanding of the consequences.  Look at things like heartbleed, a simple mistake by a single person, it doesn't always speak of incompetence.  At least it wasn't

like Sony's mistake

int getRandom() {
	return 4;
}

 

29 minutes ago, Vishera said:

Just replace everything with Zeroes...

They should not have gone public with it,it's too easy to execute and can cause extremely high damage.

For those who are curious here is the link to the whitepaper

https://www.secura.com/pathtoimg.php?id=2055

 

It's been patched and I'm sure people would have figured out what changed eventually anyways.  It's not as trivial as sending full 0's anyways...just the main part of it is sending 0's through.

 

 

[jagdtigger]

17 minutes ago, wanderingfool2 said:

*Spoofing comes to mind to causing a dos attack comes to mind in terms of limiting tries*

Yeah but on the other hand if you have limited tries the system could notify the sysadmin, or trigger some scripts that would disconnect the offending system from  the network....... (Most corporations will use gear from the same manufacturer in their network so its pretty easy to do. Will it cause some disruption? Yes. But it is better than having your domain controller popped....)

[wanderingfool2]

11 minutes ago, jagdtigger said:

Yeah but on the other hand if you have limited tries the system could notify the sysadmin, or trigger some scripts that would disconnect the offending system from  the network....... (Most corporations will use gear from the same manufacturer in their network so its pretty easy to do. Will it cause some disruption? Yes. But it is better than having your domain controller popped....)

Booting a system out for too many invalid attempts would just be asking for DOS....or you know locking out a domain controller

 

On a similar note, do we know that it didn't log it?  [Back in the day I remember having a lot of invalid password attempts and such].  I could be wrong, just thinking there probably was a way of seeing it in logs.

[jagdtigger]

1 minute ago, wanderingfool2 said:

Booting a system out for too many invalid attempts would just be asking for DOS....or you know locking out a domain controller

How would they do DOS if the compromised system is locked out from the network?