Vulnerability Overview
ZeroLogon (CVE-2020-1472) is an immensely critical privilege escalation vulnerability affecting all versions of Windows Servers. A defect in the cryptography used by the NetLogon Remote Protocol known as AES-CFB8 allows unauthenticated adversaries to compromise Domain Controllers in an Active Directory environment. By inserting multiple zeroes into fields used by NetLogon messages, an attacker can achieve the following:
- Change the system password of the domain controller.
- Obtain valid domain administrator credentials.
- Obtain the password hash of any Active Directory user.
- Create Golden Tickets.
Want to know more about the technical details behind this major Windows Server vulnerability? Check out the Microsoft Report regarding ZeroLogon.
Want to see just how easy it is for an attacker on the internal network to exploit this vulnerability. Check out this video below!
Remediation
As you can see from the video above, it takes very little effort for an internal threat actor to fully compromise the Domain Controller. So, what can your organization do in order to ultimately remediate this critical vulnerability?
Fortunately, the solution is straightforward. The August 2020 Security Patch from Microsoft addresses this vulnerability for all affected versions of Windows. In many organizations Domain Controllers tend to fall behind on patches due to the impact updating a Domain Controller can have on many services and applications in the environment. Don’t lag behind on this update!
As security research becomes more prominent, critical vulnerabilities like ZeroLogon are on the rise. nGuard’s team of certified penetration testers are ready to cater to your needs by providing security assessments that bring attention to the weaknesses in your environment. Ready to learn more about nGuard’s Internal Penetration Testing assessment and its positive effects on the overall security landscape of the ever-growing internal network?
