“An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network.” – (Microsoft)
What can Happen:
A hacker can leverage the vulnerability and take over a network. When exploited, this vulnerability allows a malicious actor with local network access to escalate privileges to a domain administrator level. Domain Administrator privileges allow unfettered access to all resources on the domain.
The flaw allows an attacker to trick the Domain controller to believe it is communicating with an authenticated user without knowing the password of that user. The Zerologon attack works by sending a string of zeros in a series of messages that use the Netlogon protocol. Windows servers rely on the Netlogon protocol for a variety of tasks such as allowing end users to log in to a network. Malicious actors with no authentication can use the exploit to gain domain administrative credentials, as long as the attackers have the ability to establish TCP connections with a vulnerable domain controller. The attacker can also disable the signing and sealing – encryption for communications. This is the beginning of further havoc in the DC. By sending a number of Netlogon messages in which various fields are filled with zeroes, an attacker can change the computer password of the domain controller.
How to Protect Systems
Microsoft is currently working on patches to address this in a two-phase vulnerability. The first phase started back on August 11th, 2020 patch update. Customers of Microsoft who have successfully applied this update will be protected from the Zerologon vulnerability. If you have not run this patch you should do so as soon as possible. The patch fixes the vulnerability by enforcing the Secure Netlogon Remote Protocol for all Windows servers and clients in the domain. In the second phase there will be another update scheduled for some time in the first quarter of 2021.
- Netlogon Remote Protocol is an RPC interface available on Windows domain controllers. It is used for various task related to user and machine authentication, most commonly to facilitate users logging in to servers using the NTLM protocol.