If you haven’t installed Microsoft’s August patch updates for your Active Directory domain controllers, you might want to reconsider. A brand new exploit (officially called CVE-2020-1472 by Microsoft and Zerologon by Tom Tervoort, the researcher who discovered it) allows an attacker to compromise an unpatched Active Directory domain controller via just a TCP connection without the need for any domain credentials.
“The vulnerability stems from a flaw in a cryptographic authentication scheme used by the Netlogon Remote Protocol,” said Tervoort in a recent post on the Secura website blog (which you can read here). “This flaw allows attackers to impersonate any computer, including the domain controller itself, and execute remote procedure calls on their behalf.”
According to Secura, attackers can follow as few as five steps to leverage the exploit. You can read about those steps directly on the Secura website here.
So what should you do? Patch, patch, patch!
As I mentioned above, Microsoft already took care of some of the issues in last month’s patch package. They’ll be releasing another round of patches in Q1 of next year (2021) that should resolve the issue completely.
Until then, Secura has released a free tool on GitHub that will tell you if your Domain Controler is vulnerable or not. It’s a simple Python script and should be relatively easy to implement. You can find that here. Otherwise, you can try to use a tool like OpenVAS to see if you’re vulnerable. Ultimately it’s good to scan for vulnerabilities from time to time. Vulnerability scanning is a part of a healthy cybersecurity ecosystem.
For any additional information, I recommend checking out Microsoft’s information page for CVE-2020-1472.
Like our blog? Subscribe using the CTA in the upper right-hand corner of this page. Feel like sharing your thoughts with us? Use the comment section below.