The US Department of Homeland Security gives federal agencies until midnight Tuesday to resolve a critical Windows vulnerability that could make it easy for attackers to become omnipotent administrators with a free hand to create accounts, to an entire network of malware infect and carry out similar catastrophic actions.
Zerologon, as researchers have called the vulnerability, allows malicious hackers to immediately gain unauthorized control of the Active Directory. An Active Directory stores data relating to users and computers authorized to use e-mail, file sharing, and other confidential services in large organizations. Zerologon is being tracked as CVE-2020-1472. Microsoft released a patch last Tuesday.
An unacceptable risk
The bug, which is present in all supported Windows server versions, has a critical severity level from Microsoft and a maximum of 10 as part of the Common Vulnerability Scoring System. Another increase in this stake was the release of proof-of-concept exploit code by several researchers, which could provide malicious hackers with a roadmap for creating working attacks.
Officials at the Cybersecurity and Infrastructure Security Agency, a member of DHS, issued an emergency policy on Friday warning of the potentially serious consequences for organizations that fail to create patches. It says:
CISA has determined that this vulnerability poses an unacceptable risk to the federal civilian executive and requires immediate and urgent action. This determination is based on the following:
- The availability of the exploit code in the wild increases the likelihood that an unpatched domain controller will be exploited.
- the widespread presence of the affected domain controllers throughout the federal enterprise;
- the high potential for compromise between agency information systems;
- the grave implications of a successful compromise; and
- the persistence of the vulnerability more than 30 days since the update was released.
CISA, which is authorized to issue emergency instructions to mitigate known or suspected security threats, gives organizations the option to either install a Microsoft patch or disconnect the vulnerable domain controller from the organization network on Monday until 11:59 p.m. EDT.
By Wednesday at 11:59 p.m. EDT at the latest, the agencies must submit a final report showing that the update has been applied to all affected servers, or ensure that newly deployed or previously disconnected servers are patched.
The exploitation is easier than expected
When details of the vulnerability first surfaced last Tuesday, many researchers believed that it could only be exploited if an attacker was already in possession of a vulnerable network, either from a malicious insider or from an external attacker who already had lower user rights Level had received. Such compromise exploits can be severe, but the requirement can be high enough to either buy time for vulnerable networks or to trick attackers into exploiting simpler, but less serious, vulnerabilities.
Since then, several researchers have stated that it is possible for an attacker to exploit the vulnerability over the Internet without first having such low-level access. The reason: Despite the risks, some organizations expose their domain controllers – the servers that run Active Directory – to the Internet. Networks that do this and have also made the server message block available for file sharing or the remote procedure call for network-internal data exchange can be used without further requirements.
"If you've set up detections for #zerologon (CVE-2020-1472), don't forget that it can also be exploited over SMB!" Researchers from the security firm Zero Networks wrote. Run this test script (based on @SecuraBV) for both RPC / TCP and RPC / SMB. "
Kevin Beaumont, who worked in his capacity as an independent researcher, added, "There is a good (but minor) barrier to entry as the exploits don't remotely automate the query of DC's domain and netbios name. An unpatched one Domain controller = Every patched domain endpoint is vulnerable to RCE. Another linchpin if you have SMB open – RPC over SMB. Attn network discovery folks. "
Another linchpin if you have SMB open – RPC over SMB. Attn network discovery people. https://t.co/2np1gLgTfk
– Kevin Beaumont (@GossiTheDog) September 17, 2020
Queries with the Binary Edge Search Service show that nearly 30,000 domain controllers can be viewed and an additional 1.3 million servers expose RPC. If any of these settings apply to a single server, it could be vulnerable to remote attacks that send specially crafted packets that allow full access to Active Directory.
Beaumont and other researchers continue to find evidence that people are actively developing attack code. To date, however, there have been no public reports showing successful or attempted exploits. Given the hard work and the amount of publicly available information about the vulnerability, it would not be surprising if there were exploits in the wild in the coming days or weeks.