The new Windows exploit lets you become an administrator instantly. Have you patched?


Researchers have recently developed and published a proof-of-concept exploit for patched Windows vulnerabilities that can allow access to the crown jewels of an organization – Active Directory domain controllers that allow all machines connected to a network Act as a powerful-powerful gatekeeper for.

CVE-2020-1472, as a vulnerability tracking, carries a critical severity rating from Microsoft, as well as a maximum of 10 under the Common Vulnerability Scoring System. Exploits require that an attacker already has a foothold inside a target network, either as an unexpected insider or through the agreement of a connected device.

A “crazy” bug with “huge effects”

Such subsequent exploits have become increasingly valuable to attackers advancing ransomware or spy spyware. It is relatively easy to trick employees into clicking malicious links and attachments in emails. It can be more difficult to use those compromised computers to pivot to more valuable resources.

It can sometimes take weeks or months to install low-level privileges to install malware or execute commands. Enter Zerologon, a feat developed by researchers at the security firm Secura. This allows attackers to gain control of Active Directory immediately. From there, they will be free to add anything they like, from adding new computers to the network, to doing anything from malware of their choice.

Researchers in Sikura wrote in the white paper published on Friday, “The attack has widespread effects.” “This basically allows any attacker on the local network (such as a malicious insider or someone who simply plugs a device to a device and completely locks it into the network premises). This attack is completely irresponsible: the attacker does not need any user credentials. ”

Researchers at Secura, who discovered the vulnerability and reported it to Microsoft, said they have developed an exploit that works reliably, but given the risk, they do not release it until they Don’t believe that Microsoft’s patch has been installed on a widely vulnerable server. However, researchers warn that it is not difficult to use Microsoft’s patches to work backwards and develop a feat. Meanwhile, individual researchers from other security firms have published their own proof-of-concept attack code here, and here.

The release and description of exploitation codes attracted the attention of the US Cyber ​​Security and Infrastructure Security Agency, which works to improve cyber security at all levels of government. Twitter was on monday Flying with comments Commenting on vulnerability posed by vulnerability.

“Zerologon (CVE-2020-1472), the craziest vulnerability ever!” A windows user wrote. “Immediately from network access to DC without domain administrator privileges.”

“Remember something about the least privileged usage and it doesn’t matter if some boxes are stopped?” Zuk Avraham, a researcher who is the founder and CEO of security firm ZecOps, wrote. “Oh well … CVE-2020-1472 / #Zerologon is about to change your mind fundamentally.”

State key

Zerologon works by sending a string of Xeros to a series of messages that use the Breton protocol, which Windows Server relies on for a variety of tasks, including allowing end users to log into a network. People with no authentication can use exploits to gain domain administrative credentials, as long as attackers have the ability to establish a TCP connection with a weak domain controller.

The vulnerability stems from the Windows implementation of AES-CFB8, or with cipher feedback to encrypt and validate encryption messages to detect internal networks using the AES cryptography protocol.

For AES-CFB8 to function properly, the so-called initialization vectors must be unique and randomly generated with each message. Windows failed to comply with this requirement. Zeroglon took advantage of this omission to send devotion messages that included Zeros in various carefully selected areas. Sikura gives a deep dive into the cause of the writeup vulnerability and the five-step approach to exploiting it.

In a statement, Microsoft wrote: “A security update was released in August 2020. Customers who apply the update, or have automatic updates enabled, will be protected.”

As stated in some of Twitter’s comments, some naysayers are likely to reduce the severity by saying that, any time attackers gain an advantage in a network, it is already over.

This argument rests with the defense-in-depth theory, which advocates creating multiple layers of defense that anticipate successful violations and create redundancy to mitigate them.

Administrators are very cautious about installing updates that affect network components as sensitive as domain controllers. In this case, installing as soon as possible may pose a greater risk such that more than one may be installed. Organizations with weak servers should ensure that they have whatever resources they need to install this patch as soon as possible.