Zerologon: Microsoft addressing severe network exploit

Credit: Pixabay/CC0 Public Domain

A Dutch security firm reported last week that it uncovered a severe Windows vulnerability last month that allowed hackers to take over network administrator privileges with a single click.

The security firm, Secura, said Microsoft was notified of the problem and issued the first of two patches in August. The second patch, a more comprehensive solution, is slated for February 2021.

"The attack has a huge impact," Secura's security expert Tom Tervoort said in company white paper. "It basically allows any attacker on the (such as a malicious insider or someone who simply plugged in a device to an on-premise port) to completely compromise the Windows domain."

Experts view the vulnerability, called Zerologon, as one of the most severe ever to hit Microsoft. It was assigned a score of 10/10, the highest degree of severity under the Common Vulnerability Scoring System.

Tervoort said the exploit takes advantage of a faulty cryptographic algorithm employed during the Windows Server Netlogon authentication process. In doing so, the attacker can masquerade as the owner of any computer on a network during authentication, disable security functions and alter or delete passwords.

Experts say it would be a likely approach that attackers inserting ransomware and other malware would favor. It provides easy entry into an unlimited number of affiliated computers on a network. All it takes is a single employee to click on a hostile email attachment or link for an entire network to be compromised.

Tervoort said the entire attack takes no more than three seconds to execute.

Secura researchers waited to release a copy of the exploit for IT administrators to study until after wide release of Microsoft's patch.

"Customers who apply the update, or have automatic updates enabled, will be protected," Microsoft said. The updates work "by modifying how Netlogon handles the usage of Netlogon secure channels."

IT administrators are cautioned that hackers conceivably could examine the first Microsoft patch and work backwards to to devise an alternate line of attack.

With the 2021 fix, Microsoft will require revised logon protocols and updating of all equipment connected to networks. Equipment that is not updated to the more secure protocols must be whitelisted.

Secura has released a python script that can alert IT administrators to any breach by Zerologon.

Zerologon's name stems from the use of a string of zeros to fill out various fields during a Netlogon connection.

"By simply sending a number of Netlogon messages in which various fields are filled with zeros, an attacker can change the computer password of the domain controller that is stored in the AD. This can then be used to obtain domain admin credentials and then restore the original DC password," Secura researchers said.

One small consolation for IT administrators is that a hacker must already be on the network to launch an attack. Zerologon cannot be executed from outside the network.

More information: … visory/CVE-2020-1472

© 2020 Science X Network

Citation: Zerologon: Microsoft addressing severe network exploit (2020, September 15) retrieved 20 July 2024 from
This document is subject to copyright. Apart from any fair dealing for the purpose of private study or research, no part may be reproduced without the written permission. The content is provided for information purposes only.

Explore further

NSA finds major security flaw in Windows 10, free fix issued


Feedback to editors