Microsoft has issued yet another notice regarding the Zerologon vulnerability, where it received reports of active exploitations. The Bug is a second-stage attack and happens to be in the Windows Domain Controller Servers, which if exploited can give the attacker elevated admin privileges. Thus, he can then change users, taken over the domain to use it for malicious purposes.
Exploitations on Zerologon Bug Continues
Zerologon bug has been a hot topic in cyberspace for the last two months. The vulnerability, tracked as CVE-2020-1472, is seen in the Windows Domain Controller Servers of Netlogon Remote Protocol (MS-NRPC). Researchers say that the Domain Controller here can be spoofed, and obtain the login credentials easily.
Obtaining internal access means the power to modify others roles, and block others from accessing the network even. While this is a second-stage attack, researchers warned this to be so serious, as it takes less than a minute to perform the exploit. Considering this, it was given a severity score of 10/10.
Acknowledging the seriousness of this bug, CISA has issued notices to all of its federal agencies earlier, to patch this bug in their Windows 10 systems as soon as possible. If not, disconnect them from the network as best practice. Microsoft has issued a patch for this in the August update and recommended everyone to apply this immediately. Yet, there are many servers running on old versions, thus vulnerable.
And now, as Microsoft continues to receive reports from various sources about the exploitations on Zerologon bug, it has now issued another notice as “We strongly encourage anyone who has not applied the update to take this step now. Customers need to both apply the update and follow the original guidance as described in KB4557222 to ensure they are fully protected from this vulnerability.”
Reminder to all our Windows customers to deploy at least the August 2020 update or later and follow the original, published guidance to fully resolve the vulnerability, CVE-2020-1472. For further information, see our blog post: https://t.co/br77bEP0mu
— Security Response (@msftsecresponse) October 29, 2020
Clearing out the confusion, it has issued simple steps on how to deal with the patch update.
- UPDATE your Domain Controllers with an update released August 11, 2020, or later.
- FIND which devices are making vulnerable connections by monitoring event logs.
- ADDRESS non-compliant devices making vulnerable connections.
- ENABLE enforcement mode to address CVE-2020-1472 in your environment.