Hackers can take control of corporate networks using Zerologon vulnerability
Users who have not yet installed the August Windows service pack have another good reason to do so as soon as possible. The fact is that the specialists of the Dutch company Secura B.V. have released details of a privilege escalation vulnerability in Netlogon that can be used to take over control of Windows Servers acting as a domain controller on a corporate network.
Microsoft partially fixed CVE-2020-1472 with the release of a security update package in August this year, but only in September revealed some details about it. The severity of the vulnerability is estimated at 10 maximum points according to the CVSSv3 classification.
As Secura experts explained, the vulnerability, dubbed Zerologon, is associated with the use of an unreliable cryptographic algorithm in the Netlogon authentication mechanism. It allows an attacker to impersonate any computer on the network by authenticating to a domain controller, disable Netlogon's security features, or change the password in the domain controller's Active Directory database.
The essence of the attack is to add zeros to certain Netlogon authentication parameters (hence the name of the vulnerability). The entire attack takes no more than three seconds, but it has a number of limitations. In particular, this method only works if the attacker has access to the internal network.
Microsoft intends to fix the vulnerability in two stages: as part of the first, the company released an interim fix as part of the August patches, making it mandatory to use the Netlogon security features (which the Zerologon attack disables) during authentication, while the company promises to release a more complete patch in Q1 2021.