ZeroLogon - Microsoft silently patches CVSS 10/10 vulnerability

[wanderingfool2]

2 hours ago, jagdtigger said:

How would they do DOS if the compromised system is locked out from the network?

Spoofing, like the fact that this was able to take over a domain controller by spoofing.

[StDragon]

3 hours ago, Vishera said:

Oh s**t,

I am glad that usually my Server isn't connected to the internet...

Depends on what you mean by that...

 

You never put a DC (Active Directory Domain Controller) behind the DMZ nor do you port forward to it. But because it's forwarding DNS lookups to non-authoritative domains (basically the internet), that server will have a default gateway assigned so it can talk to the internet; even if it's restricted to just DNS traffic.

 

But that's not the issue. The issue are client PCs that are members of the domain as they would be the vectors of attack. All it will take is for a single client PC to run some form of malware or code in a browser to immediately own, root, and hijack the DC. From there, it has a solid foot-hold into the network and can do whatever it has access too; including other AD member servers on the network.

[leadeater]

16 hours ago, Sir Asvald said:

Of course it will cost a lot of money for new hardware and software. But those servers are probably costing them a lot of money just to keep them running.

 

Damn, what are the uses for the XP and Vista PCs? Special software?

Well it actually costs nothing, it's just a HUGE risk. Our problem is they run custom in-house software by people that left years and years ago and it only works on 32bit which means the most up to date OS it could go on is Server 2008 (not R2) but would still require code updating which is no longer possible. They are used to pull data from multiple different systems and feed in to others and are actually highly important, but the functions they provide have nearly been replaced so will be getting turned off soon.

 

This is one of the dangers of writing your own software and also high customization of software, you have to be very careful to ensure a proper life-cycle plan is in place or this happens.

[leadeater]

9 hours ago, StDragon said:

Windows sysadmin here - It's not a matter of "if", it's "when" this will be rolled up into ransomware suites. This is so bad, that Microsoft will be under PR pressure to release -for free- an update for 2008 R2 regardless of the fact it's EOL and you don't have extended support. The damage this could cause it incalculable at this point. If they didn't, I would imagine Microsoft executives being dragged before US Congress if this thing got out of hand.

Already is, concepts were out day 1 and live attacks were happening day 2.

[leadeater]

6 hours ago, jagdtigger said:

Yeah but on the other hand if you have limited tries the system could notify the sysadmin, or trigger some scripts that would disconnect the offending system from  the network....... (Most corporations will use gear from the same manufacturer in their network so its pretty easy to do. Will it cause some disruption? Yes. But it is better than having your domain controller popped....)

There are limits and you can change them to what ever you like or disable it, but that doesn't work when you're message crafting because you can make yourself look like anything at will and this attack is possible so quickly no firewall on the network layer is going to be able to pick it up quickly enough without the very specific and accurate vulnerability signature to identify it, which sometimes is not possible if the authentication chain step is encrypted.

 

Flaws in a protocol itself are much harder to protect from, they need to actually be fixed. Unless it requires rare and specific circumstances to execute that give enough time for detection.

 

The other problem is clients sending lots of authentication requests is very common, Mac and Linux systems do this. One of the problems we get all the time is Macs send thousands of auth per second to Domain Controllers when they get corrupt keychains or a password get changed on the network but not updated in that keychain. If you want to talk about stupid how about not stopping an auth requests after it has failed 1000 times in a second, nah just keep going it'll work soon...... Thanks Apple.

[leadeater]

6 hours ago, wanderingfool2 said:

Booting a system out for too many invalid attempts would just be asking for DOS....or you know locking out a domain controller

This is why we had to disable password lockout at schools. Students would just lock the teachers account out on purpose to be annoying, situation matters like this.

[StDragon]

27 minutes ago, leadeater said:

... and live attacks were happening day 2.

I wouldn't doubt it, but I have yet to read of any specific examples. Any known strains of malware or threats you can cite?

 

Let's just say I know a few 2008 R2 boxes out (including SBS 2011) there that should have been decommissioned a long ass time ago; but a certain business owner needs more convincing. I just hate to see impending fail that I know will cost him/her a lot more money in the long run. Sadly.

 

 

[leadeater]

13 minutes ago, StDragon said:

I wouldn't doubt it, but I have yet to read of any specific examples. Any known strains of malware or threats you can cite?

Nothing I can say, i only know because it was posted (talking internally) where it wasn't supposed to be and I saw it before it got deleted. It was up for less than 10 seconds but I still got to see it 

[StDragon]

26 minutes ago, CircleTech said:

It's really only consumers who care about having something that's the latest-and-greatest just for the sake of being on the cutting edge. Businesses and government want something that works 100% of the time and is very reliable. Linus Media group does their video editing on 5+ year old computers.

It's businesses too. They're focused on solutions that require tools to be developed for. Often this requires specialized skills and hardware to store and run the applications; both client and server side. In essence, it's the problem that drives the solution and not the other way around.

 

The problem with business is that it's very myopic when it comes to a product life-cycle. Information Technology is a very fast and dynamic changing industry in of itself. So you have to treat the entire stack from hardware, OS, and APIs as a standing wave. You must move with that wave or be left behind with no support. And when the entire stack starts to breakdown or be exploited (hacked, vulnerable against malware, etc), the recovery process can be daunting.

 

Businesses see IT as a cost center. But the realty is when you break it all down, all modern business is IT; it's the core of what drives everything. So the job never ends. Progress never ends. IT does, and will continue to innovate and change. And as such, so too must the tools that they rely on. The life-cycle continues - creation, support, maturity, and deprecation.