Zerologon: Become domain admin by subverting Netlogon cryptography
Weblog publish 11 September 2020, by Tom Tervoort, Senior Security Specialist and Ralph Moonen, Technical Director at Secura
Final month, Microsoft patched a extraordinarily attention-grabbing vulnerability that can perhaps perhaps enable an attacker with a foothold for your inner community to essentially modified into Arena Admin with one click. All that is required is for a connection to the Arena Controller to be that you simply have to perhaps perhaps perhaps mediate from the attacker’s perspective.
Secura’s safety expert Tom Tervoort beforehand realized a less severe Netlogon vulnerability last twelve months that allowed workstations to be taken over, nonetheless the attacker required a Particular person-in-the-Heart (PitM) space for that to work. Now, he realized this 2nd, map more severe (CVSS safe: 10.0) vulnerability within the protocol. By forging an authentication token for explicit Netlogon functionality, he became once in a space to name a characteristic to position the computer password of the Arena Controller to a identified worth. After that, the attacker can use this novel password to attract conclude control over the domain controller and rob credentials of a website online admin.
The vulnerability stems from a flaw in a cryptographic authentication plot traditional by the Netlogon Remote Protocol, which among assorted things will also be traditional to exchange computer passwords. This flaw enables attackers to impersonate any computer, including the domain controller itself, and operate distant device calls on their behalf.
Secura urges everybody to put in the patch on all their domain controllers as mercurial as that you simply have to perhaps perhaps perhaps mediate. Please refer to Microsoft’s advisory. We published a check tool on Github, which you have to perhaps perhaps perhaps download here: https://github.com/SecuraBV/CVE-2020-1472 that can perhaps divulge you whether or no longer a website online controller is inclined or no longer.
Will accept as true with to you are drawn to the technical itsy-bitsy print within the aid of this elegant distinctive vulnerability and the map in which it became once realized, download the whitepaper here.
Read more about Zerologon: CVE-2020-1472 in our whitepaper. Will accept as true with to you have to perhaps perhaps perhaps additionally merely accept as true with got any questions, please contact us at email@example.com.