Zerologon has been described as the “perfect” Windows vulnerability. As we reported earlier this month, it is one of the most dangerous bugs Microsoft has ever dealt with. While Microsoft has already sent out a patch fix, the company is now getting some patch assistance from two other sources.
Samba and 0patch have sent out their own fixes for Zerologon (CVE-2020-1472). The purpose of both fixes is to plug holes in the patch Microsoft issued earlier in September.
I previously said this flaw is one of the most dangerous ever. It seems that assessment was not hyperbolic. According to a recent whitepaper from security researchers at Secura, Zerologon is extremely dangerous:
“This attack has a huge impact: It basically allows any attacker on the local network (such as a malicious insider or someone who simply plugged in a device to an on-premise network port) to completely compromise the Windows domain,” says the whitepaper.
Zerologon allows bad actors to easily take control of Windows Servers. It is an elevation of privilege flaw found in Netlogon, a Microsoft process that authenticates users against domain controllers. Microsoft rated the vulnerability a 10/10 in terms of severity.
Because it moves so quickly, Zerologon is especially dangerous. Infiltration on an enterprise system takes three seconds or less. Attackers could also use an attack to change passwords and relatively easily take over a whole organization's network.
Mitja Kolsec, CEO of 0patch, says Microsoft's fix for Zerologon does not work on all systems. As such, his company is rolling out their own micropatch to address this gap:
“Our micropatch was made for Windows Server 2008 R2, which reached end-of-support this January and stopped receiving Windows updates,” Kolsec told Threatpost. “Many organizations are still using this server and the only way for it to get extended security updates from Microsoft was to move it to Azure (cloud) — which is an unacceptable option for most organizations.”
File sharing utility Samba, which is knowns for helping to share across Linux and Windows, is a company heavily reliant on Netlogon. This means Samba is particularly at risk from this flaw. The company has issued a patch for its own services to mitigate any attacks.