Researchers have recently developed and published a proof-of-concept exploit for packaged Windows vulnerabilities that could allow access to the organization’s crown jewels – Active Directory domain controllers that act as a powerful gatekeeper for all machines connected to the network. .
CVE-2020-1472, the vulnerability is tracked, it gives a critical severity rating from micro .ft, as well as a maximum under normal vulnerability scoring system 10. Exploitation requires that no attacker has already stepped inside the target network, As an uncontrolled internal or by compromise of a connected device.
A “crazy” bug with “heavy impact”
These types of post-compromise factories have become increasingly valuable to attackers who push ransomware or espionage. It’s relatively easy to trick employees into clicking on malicious links and attachments in email. It can be more difficult to use compromising computers to draw attention to more valuable resources.
Sometimes it will take weeks or months for low-level privileges to be extended to people who need to install a lever or execute commands. Enter Xerologon, an exploit developed by researchers at the security firm Sikura. It allows attackers to immediately gain control of the active directory. From there, they will have free control to do whatever they want, from adding new computers to the network to infecting everyone with the software of their choice.
“This attack has a major impact,” researchers with Secura wrote in a white paper published Friday. “It basically allows any attacker on the local network (such as a malicious internal or someone who plugs into a device on a non-premise network port) to completely compromise the Windows domain. The attack is completely unauthorized: the attacker does not need any user credentials. “
Secure researchers, who discovered the vulnerabilities and reported them to Micros.ft, said they had developed an exploit that works reliably, but given the risk, they would not release them until they The patch of micro .ft will be widely installed on weak servers until trust is established. Researchers, however, warned that Microsoft’s patch is not difficult to use to work and exploit backwards. Meanwhile, different researchers have published their own Proof-F Concept Attack Code by other security companies here, here and here.
The publication and description of the exploit code quickly spread to the U.S. The Cybersecurity and Infrastructure attracts the attention of the Security Agency, which works to improve cybersecurity at all levels of government. There was also Twitter on Monday Blows with comments Commenting on the threat posed by vulnerability.
“Zerologon (CVE-2020-1472), the most insane weakness ever!” Wrote a Windows user. “Domain admin privileges from an unauthorized network access to DC.”
“Remember at least something about privileged access and it doesn’t matter if a few boxes get messed up?” Zuck Averham, a researcher, founder and CEO of security firm ZackOps, Wrote. “Oh well … CVE-2020-1472 / #Zerologon is basically going to change your mind.”
We can’t ignore it when the attackers don’t hurt. We cannot simply clean a computer with malware / problems without first investigating the issues. We simply cannot restore any image without checking what other assets are infected / how the ware lever came about.
– Zuk (@ihakabname) September 14, 2020
State keys
Xerologon works by sending a string of zeros in a series of messages that use the Gotten protocol, which Windows servers rely on for a variety of tasks, including allowing end users to log in to the network. As long as the attackers have the ability to establish TCP connections with a sensitive domain controller, people with no authentication can use exploits to obtain domain administrative credentials.
The vulnerability uses the AES cryptography protocol with cipher feedback to encrypt and validate authentication messages from Windows implementation of AES-CFB8, or passing through an internal network.
For AES-CFB8 to function properly, so-called initial vectors must be generated uniquely and randomly with each message. Windows failed to monitor this requirement. Xerologon uses this exclusion by sending lunc clone messages that contain zeros in carefully selected different fields. Secura Writing offers a deep dive into the causes of vulnerability and its five-step approach to exploitation.
In a statement, Microsoft wrote: “Update A security update was released in August 2020. Customers who apply the update or have automatic updates enabled will be protected.”
As some Twitter critics have pointed out, some Nessers downplay the seriousness of saying that, whenever at any time the attackers get a holdhold in the network, it is already over.
This argument contradicts the principle of defense-depth, advocating for the creation of multiple levels of defense that anticipate a successful breach and create redundancies to reduce it.
Administrators are prudent about installing updates that affect network components as sensitively as domain controllers. In this case, the risk of getting more than one install may be earlier than one. Organizations with sensitive servers should gather any resources needed to ensure that this patch is installed later in the day.
