Serious Windows flaw patched in August.
ZDNet reports that Microsoft's August Patch Tuesday included a fix for a severe elevation-of-privilege vulnerability that could allow an attacker on a network to impersonate any computer account within the domain, including the domain controller (the server responsible for handling security authentication requests), and reset the password for that account. The vulnerability, dubbed "Zerologon" (CVE-2020-1472), was assigned a CVSS score of 10, but technical details of the flaw weren't made public at the time of the patch's release.
Researchers at Secura have now published an analysis of the vulnerability, and observers quickly realized the flaw is extremely serious. The vulnerability is trivial to exploit, and several public exploits are already available (Secura itself refrained from publishing its proof-of-concept). Secura explains, "Leaving a DC unpatched will allow attackers to compromise it and give themselves domain admin privileges. The only thing an attacker needs for that is the ability to set up TCP connections with a vulnerable DC; i.e. they need to have a foothold on the network, but don’t require any domain credentials." The researchers add that "it basically allows any attacker on the local network (such as a malicious insider or someone who simply plugged in a device to an on-premise network port) to completely compromise the Windows domain."
The vulnerability is due to flaws in the custom AES cryptographic authentication scheme used by the Netlogon protocol. Netlogon is responsible for a number of features involving user account authentication, including updating passwords within the domain. Secura's Tom Tervoort found that the cryptographic scheme used a fixed Initialization Vector (IV), against the security requirements for AES. This fixed IV consisted of sixteen zero bytes, leading Tervoort to discover that "for 1 in 256 keys, applying AES-CFB8 encryption to an all-zero plaintext will result in all-zero ciphertext." As a result, an attacker can repeatedly try to authenticate using an all-zero client challenge until the authentication succeeds, which Secura says will take about three seconds. If the attacker sets a few other message parameters to zero, they can set an empty password for the domain controller (at which point, since they know the password, they can change the password to whatever they wish).
Microsoft's August patch addresses this issue, and organizations are urged to apply the fix as soon as possible. Microsoft also plans to release a more comprehensive patch in February 2021.
For more, see the CyberWire Pro Research Briefing.