Micro Focus is now part of OpenText. Learn more >

You are here

You are here

Zerologon bug is a perfect 10. Patch now or crash hard

Richi Jennings Your humble blogwatcher, dba RJA

A researcher found a really nasty bug in Windows Server, calling it Zerologon. The Active Directory domain controller code screws up an important bit of AES, earning a perfect 10 on the CVSS scale.

“Important” yet obscure. But aren’t most things related to encryption?

The bug was quietly patched last month. So you know what to do—and when to do it.

This is not a moment to shilly-shally, nor prevaricate. In this week’s Security Blogwatch, we get off the pot.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Martian volcanoes.


What’s the craic? Dan Goodin reports—New Windows exploit lets you instantly become admin:

CVE-2020-1472 … carries a critical severity rating [and] a maximum of 10 under the Common Vulnerability Scoring System. Exploits require that an attacker already have a foothold inside a targeted network.

Such post-compromise exploits have become increasingly valuable to attackers pushing ransomware or espionage spyware. Tricking employees to click on malicious links and attachments in email is relatively easy.

Enter Zerologon. … It allows attackers to instantly gain control of the Active Directory. From there, they will have free rein to do just about anything.

Zerologon works by sending a string of zeros in … the Netlogon protocol, which Windows servers rely on for a variety of tasks, including allowing end users to log in. … For AES-CFB8 to work properly, so-called initialization vectors must be unique and randomly generated with each message. Windows failed to observe this requirement.

Administrators are understandably cautious about installing updates that affect network components as sensitive as domain controllers. [But] there may be more risk in not installing than installing sooner than one might like.

And Catalin Cimpanu exhorts—Patch now:

Last month Microsoft patched one of the most severe bugs ever reported to the company. … The bug is truly worthy of its 10/10 CVSSv3 severity score.

Patching Zerologon was no easy task for Microsoft. [It’s] scheduled to take place over two phases. The first one took place last month, when Microsoft released a temporary fix [that] made the Netlogon security features (that Zerologon was disabling) mandatory. … A more complete patch is scheduled for February … in case attackers find a way around the August patches.

The entire attack is very fast and [takes] up to three seconds. … As expected, weaponized proof-of-concept code has been made publicly available. … It's literally game over for the attacked company.

Literally? Anyway, Ryan Seguin digs into CVE-2020-1472:

The AES-CFB8 standard requires that each byte of plaintext, like a password, must have a randomized initialization vector (IV) so that passwords can’t be guessed. The ComputeNetlogonCredential function in Netlogon sets the IV to a fixed 16 bits, which means an attacker could control the deciphered text.

Several proofs of concept (PoCs) have been published to GitHub which demonstrates wide interest … from security researchers and attackers alike. … One could use this vulnerability to deploy ransomware throughout an organization and maintain a persistent presence.

Who discovered it? Secura’s Tom Tervoort—Unauthenticated domain controller compromise by subverting Netlogon cryptography:

A Netlogon session is initiated by the client, whereby client and server exchange random 8-byte nonces. … They both compute a session key by mixing both challenges with the shared secret. … Then the client uses this session key to compute a client credential. The server recomputes this same credential value and if it matches [then] the client must know the … password.

The cryptographic primitive [that] the client and server use to generate credential values is the ComputeNetlogonCredential function, which … makes use of the rather obscure CFB8 (8-bit cipher feedback) mode. … In order to … encrypt the initial bytes of a message, an Initialisation Vector (IV) must be specified [which] must be unique and randomly generated. [But Windows] defines that this IV … always consists of 16 zero bytes. This violates the requirements.

[The attack] effectively boils down to filling particular message parameters with zeroes and retrying the handshake a few times in order to set an empty computer password … of the domain controller that is stored in the AD. This can then be used to obtain domain admin credentials.

The patch released on Patch Tuesday … addresses this problem by enforcing Secure NRPC … for all Windows servers and clients in the domain. … The option also exists to turn on “enforcement mode” … even when this would cause [devices] to break. In February [it] will be turned on by default, requiring administrators to update, decommission or whitelist devices that do not support Secure NRPC.

Could you describe that in a less convoluted way? Waffle Iron cuts the waffle: [You’re fired—Ed.]

The login protocol encrypts a small authentication token using a random session key. The system uses AES in an obscure serial mode, but it stupidly uses an all-zero initialization vector.

Any session key that happens to start with zero will produce an all-zero result token given the AES mode and zeroed IV. So one time out of [128] tries on average, an all-zero authentication token will match. They just keep trying to authenticate with an all-zero token until they get in.

Oh boy. With a worry, here’s malor:

System administrators … worry that they may no longer control the machine. Once malware has run with system/root privileges, it becomes logically impossible to disinfect that machine from within that running system. Any indicator of compromise can be hijacked.

One technique that's sometimes used is to install several rogue device drivers for fake devices—if any of them are removed, the others instantly reinstall it. Since there's no good way to stop and remove two or more device drivers at once, the machine literally can't be disinfected. … Compromises can be much deeper and more pernicious.

Wait. Pause. Does this bug seem at all suspicious to you? It does to clovis:

My first thought was: Nice backdoor. … I wonder how long that's been abused. And by whom.

I mean, really, how could initializing a session key with a fixed value get by any code review for so long? I know I'm excessively paranoid, but … I'm suspicious.

Bring on the spittle-flecked absolutists. Here’s one Anonymous Coward:

If you're using a smoking pile of horse manure like Windows and expect security, then you deserve what you get. It's closed source, proprietary, riddled with security holes, and poorly designed.

Anyone using Windows for anything with a legitimate security requirement (medical records, financial records, MRI machines, nuclear reactors, weapon systems, industrial equipment, etc) is a damned fool.

Meanwhile, clackerd has this suggestion for Microsoft:

They should patch it so that, sure, you can get admin rights, but you are then forced to do admin tasks and maintenance too. This will keep the intruders so busy they won't have time to exfil your data.

The moral of the story?

Run—do not walk—to your AD domain controllers (metaphorically speaking). And start planning for February’s second shoe droppage.

And finally

Can Phil really see the Martian volcanoes through a telescope?

tl;dr: probably not.

Previously in “And finally”

You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

This week’s zomgsauce: US DoD (public domain)

Keep learning

Read more articles about: SecurityInformation Security