Microsoft’s August patch Tuesday Windows Updates included the following gem that’s described as “one of the most severe bugs ever reported to Microsoft”.
The Zerologon attack targets Microsoft’s on-premise Active Directory product, which is used by 90%+ of all organizations worldwide.
Active Directory runs on Microsoft Windows Server(s), which are referred to as Domain Controllers. Domain Controllers have a Windows service called Netlogon, which is in the middle of Active Directory authentication (i.e., checks that your password matches the one on file).
This attack takes advantage of a weak cryptographic algorithm in the Netlogon service and allows an attacker to:
- Impersonate the identity of any computer on a network when trying to authenticate against the domain controller
- Disable security features in the Netlogon authentication process
- Change a computer’s password on the domain controller’s Active Directory (a database of all computers joined to a domain, and their passwords)
In summary, they could take over as Domain Administrator and have complete control over your most critical IT service — Active Directory. An attacker could lock you out of all your domain-joined computers and servers and hold you ransom, for example. This is a 10/10 CVSSv3 vulnerability severity score (or as we call it, the oh-s**t score).
However, an attacker would have to run malicious code on your internal network for this attack to work. An individual computer or server would have to be attacked successfully, e.g., a staff member clicks on the wrong link in an email and gets infected. Next, if/when that device was on the same internal network as your Domain Controllers (e.g., on the non-guest Wi-Fi or network jack plugged in at the office, or over VPN), they’d attack laterally, and Zerologon attacks your Domain Controllers.
Now for the good news — Microsoft already has a temporary solution in place, BUT it requires an IT Administrator to intervene manually.
Instructions for Your IT Company:
1) IT Administrators need to install Microsoft’s August’s Monthly Rollup on all Windows Domain Controllers and reboot. Your IT Company should be doing this for you automatically within 1-2 weeks of patch Tuesday.
2) Follow Microsoft’s guide to blocking this specific insecure connection, How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472.
Long Story Short
- A massive vulnerability in Microsoft Active Directory was disclosed this month, and it probably affects your business.
- To mitigate, August’s Window Update Rollup has to be installed, AND a change has to be made on a Domain Controller by an IT Administrator. Just installing the update does nothing.
- We hope that you have an IT Company on retainer, they’re actively managing your Windows Updates, AND they’re paying attention to security news so that they can catch stuff like this and mitigate it before it puts you out of business. We have our clients covered on this.
If you’d like to discuss this more, contact us here.
