A critical vulnerability in the Microsoft Netlogon Remote Protocol is leaving some companies open to attack. Here is what you need to know to determine if your company is at risk from the Zerologon vulnerability and, if so, what you can do to protect it.
A critical vulnerability in the Microsoft Netlogon Remote Protocol (MS-NRPC) is leaving the domain controllers in some companies open to attack. Although Microsoft has already released an update to patch the flaw, many companies have not yet installed it, despite a spike in attempts to exploit the vulnerability. Hackers are taking advantage of the flaw, which has been dubbed Zerologon, to take over domain controllers and other devices in domains. They can even use it to disrupt a company’s Active Directory’s identity-management services because MS-NRPC is a key authentication component for Active Directory domains.
The ramifications of leaving the Zerologon vulnerability unpatched are so serious that the US Cybersecurity and Infrastructure Security Agency issued the “Emergency Directive 20-04” on September 18, 2020. This directive ordered federal agencies to update their domain controllers by the end of the day on September 21, 2020 — a three-day window. If meeting this deadline was not possible, the agencies were told to remove the domain controllers from their networks.
Here is what you need to know to determine if your company is at risk from the Zerologon vulnerability and, if so, what should be done to protect it.
The Protocol and Its Problems
MS-NRPC is used to secure communications between the domain controllers and other devices in a Windows domain. One of its primary functions is to provide a way for users and devices to log in to a domain. Toward this end, the protocol provides a means to establish secure channel connections — that is, authenticated remote procedure call (RPC) connections between two devices in a domain. An encryption algorithm is used in the authentication process to make it more secure.
However, a flaw in the way MS-NRPC applies the encryption algorithm mode (AES-128-CFB8) is making these domain controllers more prone to attack. “This flaw allows attackers to impersonate any computer, including the domain controller itself, and execute remote procedure calls on their behalf,” explained the Secura security specialist who discovered the Zerologon vulnerability.
Plus, there are other factors contributing to the seriousness of the vulnerability. “That flaw was compounded by several other programmatic oversights where stricter attention to security and correctness could have prevented this attack,” said a Sophos security researcher who independently verified the problems.
The Machines at Risk
Fortunately, not all Windows Server machines are affected by the Zerologon vulnerability. It impacts only those servers assuming the role of domain controller. In addition, only the following Windows Server versions are affected, according to Microsoft:
- Windows Server 2019
- Windows Server 2016
- Windows Server 2012 R2
- Windows Server 2012
- Windows Server 2008 R2 Service Pack 1
- Windows Server version 2004 (Semi-Annual Channel release)
- Windows Server version 1909 (Semi-Annual Channel release)
- Windows Server version 1903 (Semi-Annual Channel release)
Note that Windows Server 2008 Service Pack 2 is not impacted.
Third-party servers can also be affected by the Zerologon flaw if they use MS-NRPC. For example, Samba domain controllers are impacted for this reason. The CERT/CC Vulnerability Notes Database includes a list of vendors offering devices that could potentially be affected.
What Companies Should Do Protect Their Domains
To fix the Zerologon flaw, Microsoft has put into motion a plan that is being implemented in two phases: deployment (currently in progress) and enforcement (starts February 9, 2021). As part of the deployment phase, Microsoft has rolled out patches that will protect devices against Zerologon attacks. The patches also provide several tools that companies can use to prepare for the enforcement phase. The tools include the new “Domain controller: Allow vulnerable Netlogon secure channel connections” group policy and several new events that are logged in a domain controller’s System event log. These events are triggered when vulnerable connections are allowed or denied under various conditions.
Businesses have the option of installing the patches and doing nothing else. “The updates can be installed without added further action, and Windows devices and domain controllers (DCs) will be protected from this vulnerability,” stated Microsoft.
However, Microsoft strongly recommends that companies follow the guidelines presented in the article “How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472” in preparation for the updates that will be rolled out during the enforcement phase. These guidelines discuss how to monitor the domain controllers’ System event logs to find devices that are still using vulnerable connections so the issue can be resolved. For example, a device might still be using vulnerable connections because it is running an unsupported version of Windows.
Fixing any problems during the first phase is important because all vulnerable connections will be automatically denied once the enforcement phase starts. The only exceptions are the connections from any devices listed in the “Domain controller: Allow vulnerable Netlogon secure channel connections” group policy.
“If the guidelines from the KB article are not followed, your organization risks devices in your environment being denied access when the enforcement phase starts in Q1 2021,” warned Microsoft.
Don’t Wait — Install the Updates Now
Installing the updates that fix the Zerologon flaw is crucial if your business has domain controllers that use MS-NRPC. Not doing so leaves your business open to attack. We can help you install the updates so your domains are protected. We can also find and fix any problematic connections now so that your business won’t have any service disruptions when the enforcement phase begins next year.
Microsoft Type Cover 2 – IMG_4252 flickr photo by Nicola since 1972 shared under a Creative Commons (BY) license
