Critical Vulnerability - CVE-2020-1472 - Zerologon

On September 18th, the Cyber Security & Infrastructure Security Agency (CISA) have mandated that all US federal agencies must patch any Windows domain controllers that are affected by CVE-2020-1472 vulnerability under Emergency Directive 20-04. This patch had to be applied by September 21st with report back no later than September 23rd.

How does this effect OT systems?

If you are running a Windows Domain Controller on your plant network that is Windows Server 2008 onwards, anyone who has access to the network could compromise your primary authentication device. This attack has a huge impact, basically anyone who can plug in a device to a live connected network port could completely compromise the Domain Controller. Furthermore, the attack is completely unauthenticated, hence the name ‘Zerologon’.

This is not solely a Microsoft issue, this vulnerability also affects Linux systems that are using Samba as a Domain Controller.

Background

On August 11th 2020, Microsoft released a software update to mitigate a vulnerability that relates to the Netlogon Remote Protocol (MS-NRPC) which is a core authentication component of Active Directory. The vulnerability is classed as a privilege escalation flaw that received a 10 on the Common Vulnerability Scoring System (CVSS) but flew under the radar of many security professionals until last week. Dutch security firm Secura published a paper outlining the vulnerability then the exploit code for the flaw was posted online shortly thereafter.

How does this vulnerability work?

The vulnerability stems from a flaw in a cryptographic authentication scheme used by the Netlogon Remote Protocol, which among other things can be used to update computer passwords. An attacker could exploit the vulnerability to impersonate any computer, including the domain controller itself, and execute remote procedure calls on their behalf.

zerlogon

 

This is achieved by simply sending a number of Netlogon messages in which various fields are filled with zeroes. This is a short brute-force login attempt using 1 in 256 keys and applying AESCFB8 encryption to an all-zero plaintext. This will result in all-zero ciphertext thus enabling a bypass of the logon process.

How easy is it?

This attack is very easy to undertake, Heath Adams from TCM can walk you through the process on this short video here: https://www.youtube.com/watch?v=6xMGsdD-ArI

What should I do?

The simplest approach is to apply the patch to every effected Domain Controller including Read Only Domain Controllers (RODC), the security updates can be located on the Microsoft website.

There are a few steps required and there is also not a full fix out yet, which is what makes this a little more dangerous than your average CVSS 10.0 vulnerability.

The initial deployment phase starts with the update provided and continues with further patches to follow until the Enforcement phase. These, and later updates, make changes to the Netlogon protocol to protect Windows devices by default, logs events for non-compliant device discovery and adds the ability to enable protection for all domain-joined devices with explicit exceptions. You can read more about this on the Microsoft website.

For Linux systems that use Samba Server Messaging Block (SMB) this is also susceptible to the CVE-2020-1472 vulnerability when used as a Domain Controller. With Samba versions 4.8 and above if the "server schannel" parameter is set to either "no" or "auto"; and versions 4.7 and below if set as "server schannel = yes" in the smb.conf configuration file. You can read more about this and obtain available patches on the Samba website.

What can we learn from this?

This vulnerability has once again highlighted the need to not only patch but also have the ability to monitor your event logs, as well as being able to identify malicious traffic on your network. If you were in any doubt about the need to have robust network monitoring in place for OT operations, then this should serve as a reminder. This will not be the last unauthenticated vulnerability, back in June we also saw the release of SIGRED which I wrote about that affects Microsoft’s Domain Name Server (DNS) on all versions of Windows Server.

The UK’s National Cyber Security Centre (NCSC) clearly state for secure design principal – Making Compromise Detection Easier:Even if you take all available precautions, there’s still a chance your system will be compromised by a new or unknown attack. To give yourself the best chance of spotting these attacks, you should be well positioned to detect compromise”.

This is one of the reasons that we partner with Claroty for their award-winning Continuous Threat Detection (CTD) solution, which is designed for OT protection from the ground up.

Any organisations without the ability to detect exploit attempts remain at risk if they delayed patching as there is no way to know if they were exposed in between time of disclosure and when the systems are updated. We know that OT doesn’t patch as regularly as IT, therefore we need to address these risks differently.

How we protect against cyber threats

At SolutionsPT we help our customers protect against threats with our award-winning class of security and recovery solutions for OT. We continue to closely monitor and follow the ever-evolving cybersecurity threat landscape across industrial environments, to make sure we fully understand what the risks are so that we’re able to support and advise our customers accordingly.