When a Patch Tuesday arrives, Microsoft details all security vulnerabilities it fixes. However, without digging deep into the release notes, some bugs are fixed and simply ignored. One such bug and subsequent fix came with no details during last month’s August Patch Tuesday. Specifically, this bug is known as Zerologon and is especially dangerous. Microsoft’s fix is under the identifier CVE-2020-1472 but was not detailed properly until Dutch security firm Secura B.V. issued a blog post this week. In fact, Zerologon may be one of the most dangerous bugs Microsoft has ever dealt with. It would allow attackers to easily take control of Windows Servers. It is an elevation of privilege flaw found in Netlogon, a Microsoft process that authenticates users against domain controllers. Microsoft rates the flaw as a full security score of 10, meaning it is as severe as it gets. That may explain why Microsoft never made the details of the vulnerability public.
Enterprise Attack
Secura shows Microsoft was correct to deem Zerologon an especially dangerous vulnerability. Researchers point an exploit of the bug would allow attackers to impersonate a user on any machine across a network. They could also disable security in Netlogon and change computer security credentials on Active Directory. Perhaps the most dangerous aspect of the bug is an attack would move quickly. In fact, infiltration would only last three seconds at the most. Attackers could also use a Zerologon attack to change passwords and relatively easily take over a whole organization’s network. Enterprises beware! While this is clearly an extremely dangerous vulnerability, an attacker would face some limitations. For example, they would need to be inside the network in some way. If the actor could enter the Windows Server, then all bets are off, and the target compny is in big trouble: “This attack has a huge impact,” Secura researchers say. “It basically allows any attacker on the local network (such as a malicious insider or someone who simply plugged in a device to an on-premise network port) to completely compromise the Windows domain.” As the start of this article suggests, Microsoft has already sent out a patch for Zerologon. However, Microsoft says the patch will be rolled out over two phases due to the sheer complexity of sending out a fix to billions of enterprise devices. Last month’s fix was a temporary one to mitigate any exploit until the phased rollout is complete.