Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

DHS Orders Federal Agencies to Immediately Patch ‘Zerologon’ Vulnerability

The Department of Homeland Security (DHS) on Friday issued an Emergency Directive that requires federal agencies to install fixes for a Netlogon elevation of privilege vulnerability for which Microsoft released patches in August 2020.

The Department of Homeland Security (DHS) on Friday issued an Emergency Directive that requires federal agencies to install fixes for a Netlogon elevation of privilege vulnerability for which Microsoft released patches in August 2020.

Tracked as CVE-2020-1472 and discovered by researchers at cybersecurity firm Secura, the issue exists in the Microsoft Windows Netlogon Remote Protocol (MS-NRPC) “when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller,” Microsoft explains in its advisory.

An unauthenticated attacker can exploit the bug through a specially crafted application that runs on a device on the network. The attacker connecting to a domain controller via Netlogon would be granted domain administrator access.

Referring to the issue as Zerologon, Secura researchers explain that the vulnerability has been assigned a CVSS score of 10. They also published technical details on the security flaw, along with a tool to check for vulnerable systems, and recommend installing the available patches on all Active Directory domain controllers.

“The patch that addresses Zerologon also implements some additional defense-in-depth measures that forces domain-joined machines to use previously optional security features of the Netlogon protocol. An update in February 2021 will further tighten these restrictions, which may break some third-party devices or software,” Secura says.

Several proof-of-concept (PoC) exploits have already been published for the Zerologon vulnerability.

In its Emergency Directive 20-04, the DHS’s Cybersecurity and Infrastructure Security Agency (CISA) warns all federal agencies that applying Microsoft’s patches is the only available mitigation for this critical vulnerability, aside from removing affected domain controllers from the environment.

“CISA has determined that this vulnerability poses an unacceptable risk to the Federal Civilian Executive Branch and requires an immediate and emergency action,” the Emergency Directive reads.

Advertisement. Scroll to continue reading.

Agencies are required to apply the Windows Server August 2020 security update to all domain controllers by Monday, September 21, 2020, at 11:59 PM EDT. In addition to installing the August 2020 patches, agencies are also required to ensure that even newly provisioned or previously disconnected domain controller servers have the updates before they are connected to agency networks.

Furthermore, CISA recommends that agencies use their vulnerability scanning tools along with additional means to ensure that the necessary patches have been deployed.

“These requirements apply to Windows Servers with the Active Directory domain controller role in any information system, including an information system used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information,” CISA says.

Agencies are also required to submit completion reports by 11:59 PM EDT, Wednesday, September 23, 2020.

“This emergency directive remains in effect until all agencies have applied the August 2020 Security Update (or other superseding updates) or the directive is terminated through other appropriate action,” CISA says.

While some experts have described the Zerologon flaw as “scary,” Microsoft has assigned it an exploitability assessment score of “2- exploitation less likely.”

Related: Out-of-Band Update Patches Privilege Escalation Flaws in Windows 8.1, Server 2012

Related: Actively Exploited Windows Spoofing Flaw Patched Two Years After Disclosure

Related: Microsoft Patches Actively Exploited Windows, IE Vulnerabilities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...