From the start of the year there have been multiple new vulnerabilities that have caused a lot of problems in the cyber space. The pandemic has also fashioned a new string of attacks on companies and individuals who were struggling in terms of information or personal security. Then came the Zerologon. The new vulnerability that has caused a great stir and abrupted the discussions on the future of security and the demand for it.

It’s called Zerologon due to the flaw in the logon process where the initialization vector (IV) is set to all zeros all the time while an Initialization Vector (IV) should always be a random number. – Trend Micro

It is without a doubt or objection that looking at the severity of this vulnerability it has a 10 out of 10 rating by the Common Vulnerability Scoring System (CVSS). There are known active proof-of-concept (PoC) exploits, and for that reason there have been active exploitation of the vulnerability detected on the Internet.

Looking at the magnitude of impact and damage this vulnerability can cause, it is in the right direction and a right call that an emergency directive has been sent to institutions and agencies to immediately patch or disable all the compromised systems running Windows servers.

Microsoft has released the first of two patches and they need to be applied to all Domain Controllers.

Technical Details

This vulnerability exploits a cryptographic flaw in Microsoft’s Active Directory Netlogon Remote Protocol (MS-NRPC), which allows users to log on to servers that are using NTLM (NT LAN Manager).

Now, the pressing issue with this vulnerability is that MS-NRPC is also used to transmit certain account changes, such as computer service account passwords.

So, let us go back to its origin, it is possible to see the rationale for adding this feature, but the lack of validation in the source of the request to change these passwords has become a very significant security issue.

Then it begins to worsen up from here. The encryption that was added to MS-NRPC was not chosen wisely.

Encryption Flaw

The algorithm originally used to encrypt the logon process in Windows NT was 2DES, which we now know has issues. Today MS-NRPC uses the Advanced Encryption Standard (AES), considered the benchmark for encryption. In addition to choosing a proven strong algorithm, additional settings must be selected to ensure adequate strength.

MS-NRPC uses an obscure setting known as AES-CFB8 (Advanced Encryption Standard – Cipher Feed Back 8 bit). AES-CFB8 is obscure because it is not well known and not well tested. The use of AES-CFB8 within MS-NRPC has an issue with the Initialization Vector (IV) which should be a random number, but MS-NRPC has it fixed at a value of 16 bytes of zeros. That is anything but random. It is predictable.

Cryptography is often broken where there is predictability. This is a common mistake where the encryption theory might be solid, but the implementation (in this case lack of randomness) is weak, often due to human error.

"Microsoft is actively tracking threat actor activity using exploits for the CVE-2020-1472 Netlogon EoP vulnerability, dubbed Zerologon. We have observed attacks where public exploits have been incorporated into attacker playbooks," the company wrote in a series of tweets.

What makes it critical? The Zerologon allows a hacker to take full control of a domain controller (DC), including the root DC.  This is done by;

• changing or removing the password for a service account on the controller.
• then simply cause a denial of service or take over and own the entire network.

For attackers to exploit this vulnerability, they must be able to set up a TCP session with a DC. This can be done if the attacker is located on same internal network as the DC.

It is very important to note that these exploits qualify as insider attacks – the most expensive attacks for a business today. They can be established from outside of the network so long as they can gain a foothold somewhere to establish the TCP session to the controller, such as a supplier using a VPN connection to access internal networks.

Using AES-CFB8 with a fixed IV of 16 bytes of zeros, Tom Tervoort (who originally discovered this vulnerability) noticed there is a likelihood of one of every 256 keys used will create cipher text that has a value of all zeros. This is an exceedingly small number of keys for the attacker to try to create cipher text of all zeros. It would take just a matter of 2-3 seconds, at most, for the hacker's computer to do this.

What happens if you are affected?

Because of the nature of the vulnerability, there are many independent exploits and so if the Active Directory Domain Controllers are not patched, great damage can be caused to businesses, as the attack could be used to inject ransomware and other related attacks on a network.

Going forward

All AD servers (2008 R2 and above) should be patched as soon as possible. But the average time from patch release to deployment is still too long.

Researchers state that in the average organization, it takes between 60 to 150 days (about 5 months) after a patch is released to be finally installed. This is known as the Mean Time to Patch (MTTP). 

What’s more, unfortunately the newly issued patch only fixes half of the problem.

According to Microsoft, it will release the second phase of the patch, which will include the enforcement phase, on February 9, 2021. At that time, all devices will be required to use the secure channel mode and if they do not, they will be denied access. If there are older non-compliant devices, they will have to be manually added to a group policy that explicitly allows access to non-compliant devices.

Nessus has updated its Plugins (ID 140657) and so made it easy to verify that your domain controllers are patched or discover if they are vulnerable or susceptible to attack. Make sure you disable 'Only use credentials provided by the user' in the scanner settings.

Worth noting that

Traditional security measures should always be applied to watch for compromised accounts and networks, malicious traffic, and other indicators of compromise (IoC). Intrusion detection and prevention systems and antimalware software for the network and the host devices (all endpoints) to monitor for ransomware, viruses, and other threats are critical. Logs need to be collected, centralized, and analyzed by a SIEM (Security Information & Event Manager). Once the logs are analyzed, there should be people and processes in place to respond to IoC. Then an incident response team with strong procedures and knowledge should take over to decide the extent of the compromise and work towards a resolution.

References:

Itpro.co.uk

Newsnow.co.uk

Cnet.com

Trendmicro.com