The Netlogon Remote Protocol is a mechanism used by the client authentication architecture in Windows Server. Its role is to verify session logins and register, authenticate, and locate domain controllers. As such, it ensures a secure encrypted channel between the client and the server acting as a domain controller and enables users to log in to servers.

Nevertheless, in spite of its cybersecurity measures, and as is the case with all systems, it is not invulnerable (at Cytomic we always take the stance of defense-in-depth with a zero trust approach). This means that the Netlogon service could be used as an attack vector by cyberattackers. The latest vulnerability, dubbed Zerologon, highlights this fact.

Insecure encryption _

Zerologon

Cybersecurity expert Dirk Jan confirmed on Twitter how an exploit of this vulnerability would work.

Zerologon appears as CVE-2020-1472 in its MITRE vulnerability identifier and received a CVSS score (a measure of its exploitability and potential damage) of 10.0, the highest possible. This is because, if successfully exploited, the vulnerability could enable a cyberattacker to gain domain controller and later network administrator privileges, and so theoretically take complete control of a compromised network and the ability to plant ransomware and blackmail the victims. So how does the vulnerability work?

The vulnerability takes advantage of insecure use of the AES-CFB8 encryption standard used in Netlogon sessions. This standard requires that each byte of plain text, such as a password, has an initialization vector (IV) to prevent passwords from being guessed. However, the ComputeNetlogonCredential function in Netlogon defines that this IV always consist of 16 zero bytes. This violates the requirements for using AES-CFB8 securely. So, when a message encryption consists only of zeroes, and with an all-zero IV, there is a 1 in 256 chance that the output will only contain zeroes and it will be possible to access the domain controller. Then, the Windows Active Directory password can be changed and, potentially, an adversary can obtain administrator privileges which would give complete control over the network.

Reducing the window of opportunity_

Microsoft published a patch to fix Zerologon along with a series of changes to the Netlogon secure connection channel which administrators should apply. As with all vulnerabilities, it is critical that IT or cybersecurity managers deploy patches and updates as soon as possible to reduce the ‘window of opportunity’ exploited by cyberattackers, i.e. the time before an update is pushed out to prevent the vulnerability being exploited.

However, IT and cybersecurity managers are subject to increasing pressure and have to resolve a growing number of issues that are a priority for their companies, especially in recent months with the COVID-19 pandemic, as cyberattacks have become more frequent and more sophisticated. Consequently, they are often unable to pay sufficient attention to applying the patches and updates their systems and applications require and which, as with the one released to correct Zerologon, could be critical given the potential damage.

To respond to this challenge, Cytomic customers can rely on Cytomic Patch, which provides advice on vulnerabilities and helps manage patches for operating systems and third-party applications on Windows workstations and servers. The tool identifies and manages SOC vulnerabilities along with those of hundreds of common applications in business environments while also offering centralized patching mechanisms from Cytomic’s own cloud console. Customers can also use Cytomic’s vulnerabilities portal.

In this way, IT and cybersecurity teams can verify the patch status and schedule or immediately apply essential updates simply and quickly, thereby avoiding the critical incidents caused by cyberattackers exploiting vulnerabilities such as Zerologon.