A recently patched Windows exploit lets anyone with a network connection obtain full access to the Active Directory domain-controller.
Researchers at Secura have developed and published a proof-of-concept exploit for a recently patched Windows vulnerability that can allow access to an organization’s Active Directory domain controllers. These controllers usually act as an “impenetrable” gatekeeper for all machines connected to a network.
The researchers have named the exploit Zerologon. It allows attackers to instantly gain control of the Active Directory. From there, the user can have full admin capability, including adding new computers to the network and infecting each one with their choice of malware.
This bug is a boon for ransomware and spyware
Zerologon is known to researchers tracking the exploit as CVE-2020-1472. The exploit carries a critical severity rating from Microsoft as well as a maximum of 10 under the Common Vulnerability Scoring System.
“This attack has a huge impact,” researchers with Secura wrote in a white paper published on Friday. “It basically allows any attacker on the local network (such as a malicious insider or someone who simply plugged in a device to an on-premise network port) to completely compromise the Windows domain. The attack is completely unauthenticated: the attacker does not need any user credentials.”
Secura’s release and description of exploit code was immediately noticed by the US Cybersecurity and Infrastructure Security Agency, which is responsible for all cybersecurity within the US government. Also, comments about the exploit quickly flooded Social media on Monday.
How it works
Zerologon works by sending a string of zeros in a series of messages that use the Netlogon protocol. Windows servers rely on this protocol for a variety of tasks, including allowing end users to log in to a network. Attackers with no authentication can use the Zerologon exploit to gain domain administrative credentials. All it takes is the ability to establish TCP connections with a vulnerable domain controller.
Administrators are naturally cautious about installing updates that affect network components as critical as domain controllers. In this case, however, there may be more risk in not installing than installing sooner than one might like. Organizations with vulnerable servers should install the patch as soon as they can.