Home Security research Why Zerologon is the silent threat in your network

Why Zerologon is the silent threat in your network

by Cristian Cornea

Reading time

7 minutes

Reading Time: 7 minutes

No red flags. No alerts. Full-on compromise.

The way cybercriminals are putting together various vulnerabilities within the Microsoft infrastructure, including Zerologon vulnerability (CVE-2020-1472), is more than a trending topic in the infosec community. It’s a massive threat for organizations small and large.

With a mean time-to-patch spanning over several months for most organizations, this vuln and adversaries’ methods will add pressure on security and IT staff for at least a few business quarters going forward.

Let’s unpack why this happens so you can gain a deeper understanding of your defensive options.

What is the Zerologon vulnerability?

Zerologon is a flaw within the cryptological function of Microsoft’s Netlogon process. It opens up a gap to orchestrate an attack against the Microsoft Active Directory domain controllers, which an attacker can gain access to. Manipulating the domain controller this way means a malicious actor can manage the environment with administrator privileges.

Orgs with ZeroLogon exploitation attempts by red teams and real attackers starting September 13

Zerologon exploitation attempts

Source: Microsoft

The core of the vulnerability exists within the initialization vector (IV) and occurs when the logon process is set to all the zeros at all times, where initially, it should always be a random number. This way, an attacker can simply orchestrate the attack and get down to the business. They can impersonate any computer or digital device connected to the compromised network.

Microsoft calls this the Netlogon Credential Computation

Netlogon Credential ComputationSource: Naked Security

On the CVE, this vulnerability’s score is a critical 10.0.

CVE Zerologon vulnerability score

Source: NIST NVD

Origin of the vulnerability

The Zerologon detection was discovered by Dutch researcher Tom Tervoort, who was working for Secura in September 2020. In his research, he mentions various other vulnerabilities that are lurking around and his analysis led to what we know as Zerologon today.
Microsoft had already deployed two patches for this vulnerability in August 2020.

How the attack using Zerologon works

The Zerologon vulnerability allows the attacker to take control of a domain controller (DC) as well as the root DC. Given that hackers already have penetrated the network, they can easily take control of the DC by either removing or changing the credentials for a service account on the controller.

After that, it’s up to the hacker to do what they want with the network. For example, they can launch a Denial of Service attack and take down the entire network for all it’s worth.

But before they can exploit this vulnerability, the malicious hacker must be able to set up a TCP (transmission control protocol) session within a DC.
There are many ways to do that: being physically inside the network, occupying the user’s desk, or sitting in a conference room. These qualify as insider attacks and are the most expensive type of intrusion these days for businesses.
But, to exploit the Zerologon vulnerability, the hacker doesn’t need to be inside the network. They can be outside, but able to set up a TCP session to the controller.

exploiting the Zerologon vulnerability

Source: Naked Security 

Tervoort also discovered something else during his research: that the attack path used AES-CFB8 with a fixed IV of 16 bytes of zero, so every 256 keys that are used would create a ciphertext that has a value of all the zeros.
These are only a small number of keys for the attacker to try to create a ciphertext full of all zeros, and it would only take 2-3 seconds for the adversary to do.

Zerologon vulnerability chaining – the bigger issue

CISA (Cybersecurity and Infrastructure Security Agency) has also warned that there are multiple cases where attackers exploit the Fortinet Secure Socket Layer VPN vulnerability ( CVE-2018-13379) in the wild to gain access to networks. It also states that attackers are actively exploiting the MobileIron vulnerability (CVE-2020-15505) for the same purpose.
After gaining the initial access to the system by leveraging these two vulns, malicious actors exploit Zerologon to compromise the Active Directory’s identity services and operate it through remote access tools like RDP and VPN. Using the compromised credentials gives them full access to the environment.
Other similar security issues in products from Pulse Secure (CVE-2019-11510), Juniper (CVE-2020-1631), Palo Alto Networks (CVE-2020-2021), and Citrix NetScaler (CVE-2019-19781) can be chained with Zerologon to achieve similar results.

Why you should care about the risk of vulnerability chaining

It’s important to understand the context because this is not a simple user going about their day here – it’s a highly motivated attacker.
If the machine communicating with the Domain Controller belonged to a regular user, then there wouldn’t be an issue at all. The network authentication process would work and remove the poorly constructed text.
Since we’re dealing with an adversary who is trying to actively exploit the vulnerability, the risk of vulnerability chaining is high t because they know what they’re doing. Zerologon detection is a difficult task for a regular employee. It takes someone who is extremely experienced in this field to think of the wider implications for the company’s security.

Let’s break down the whole process into the key steps:

1. Spoofing enabled by improper lockdown limits

The report that Tervoort published mentions that a malicious hacker has to first spoof the password for a client working for the enterprise which the intruder plans to manipulate.
Because of the IV’s poor implementation within MS-NRPC (Netlogon Remote Protocol), it only takes about 256 attempts to find the right set of credentials. This gives attackers an edge because, no matter how many attempts they make, the client’s account doesn’t get locked after 3 password guessing attempts, as it does for a regular user.
This is the perfect thing that can happen here in favor of the attacker: they get unlimited attempts to get the credentials right in a short amount of time. All they need is to find one of the keys that will produce an all zero ciphertext.

2. Disabling signing and sealing – easier because it’s optional

So far, the adversary could only extract the right credentials for one of the client’s accounts, but they still don’t know the actual encryption key for the session. The next step here is to disable the signing and sealing.
Signing and sealing is a mechanism used for transporting encryption within MS-NRPC. It seems like a logical process to find there, so more of our data can be encrypted in transit. But within the MS-NRPC, this is merely an optional feature that can be turned on and off by simply not setting any flag within the header or notification section.
So, when the attacker turns off signing and sealing, the only check and balance system to make sure that every ounce of data is encrypted when in transit is snatched away.

This results in messages being sent out in the open, without any encryption whatsoever. Consequently, adversaries can manipulate this data as they please, changing the password values, removing them altogether, or setting up a new log-in process for the clients. They can do anything they want..

3. Changing credentials without triggering any alarms

The third and very last step in pulling off a successful exploit of Zerologon is to change the credentials of the client’s spoofed account.
The most effective tactic is to spoof an Active Directory server or, preferably, get close enough to the root AD server. To change the password, the attackers use the message NetServerPasswordSet2 in MS-NRPC. They can also do this by sending the frame with a preferred new password that only they – the malicious actor – know.

So, even if the client knows their old and – to them – valid password, they won’t be able to do anything as the new password has been set up and acquired by the adversary. The most cunning thing for the malicious hacker in all of this is to not raise any red flags. It’s like pulling off a heist with no alarms or sirens going off – ever. It’s a perfect hack and this is exactly what makes this vulnerability unimaginably dangerous.
Another thing the cybercriminal can try here is to remove the password altogether or set it to a blank value. This way, they can log in as usual.

But suppose the attacker targets a random computer on the network. In that case, the computer itself won’t be able to log in. So the first consequence of the attack – out of many – is a simple Denial of Service attack against that computer.

The patch for CVE-2020-1472 (Zerologon)

CISA advised Microsoft and other enterprises that use the Logon process to release the necessary patches and install these updates for the sake of keeping this vulnerability in check and as a Zerologon fix.
Microsoft has already released two distinctive sets of patches in August 2020, and more updates will roll out in due time. Because there are no mandatory guidelines or regulations for signing and sealing, attackers can exploit the Zerologon vulnerability while simultaneously preventing the organization from detecting a Zerologon attack because there are no red flags whatsoever.

Microsoft is determined to release a patch in February 2021 to make signing and sealing mandatory.
Based on the patch settings released by Microsoft, researchers estimate it will take about 60 to 150 days or a round figure of about 5 months on average for organizations to finally install the patch. This is also known as the meantime to patch or MTTP.

On the same topic, despite Microsoft releasing a new patch for the Zerologon attack, it’s not going to be a universal fix for the problem. Therefore Microsoft is willing to release a second phase of the patch that will include enforcement capabilities as early as February 2021.

At that time, according to Microsoft, all devices will be required to use the secure channel mode. If some of them don’t use it, then those specific devices will be denied access right away. However, if there are older, non-compliant devices on the network, network, and security specialists will have to manually add them to the group policy that explicitly allows access to non-compliant devices.

MTTP range

50

/

days

150

/

Months

5

/

Hopefully, when the new patch by Microsoft makes its way to the market, the Zerologon vulnerability and all related issues that it causes will be behind us.

Until then, we’ll keep this guide updated with everything you need to know!

Related Posts

Microsoft RCE vulnerability Bad Neighbor

Discover how dangerous a ‘Bad Neighbor’ can be – TCP/IP Vulnerability (CVE-2020-16898)

authenticated magento rce with deserialized phar files

Authenticated Magento RCE with deserialized PHAR files

0 comments

Comments