The Department of Homeland Security (DHS) on Friday issued an Emergency Directive that requires federal agencies to install fixes for a Netlogon elevation of privilege vulnerability for which Microsoft released patches in August 2020.
Tracked as CVE-2020-1472 and discovered by researchers at cybersecurity firm Secura, the issue exists in the Microsoft Windows Netlogon Remote Protocol (MS-NRPC) “when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller,” Microsoft explains in its advisory.
An unauthenticated attacker can exploit the bug through a specially crafted application that runs on a device on the network. The attacker connecting to a domain controller via Netlogon would be granted domain administrator access.
Referring to the issue as Zerologon, Secura researchers explain that the vulnerability has been assigned a CVSS score of 10. They also published technical details on the security flaw, along with a tool to check for vulnerable systems, and recommend installing the available patches on all Active Directory domain controllers.
“The patch that addresses Zerologon also implements some additional defense-in-depth measures that forces domain-joined machines to use previously optional security features of the Netlogon protocol. An update in February 2021 will further tighten these restrictions, which may break some third-party devices or software,” Secura says.
Several proof-of-concept (PoC) exploits have already been published for the Zerologon vulnerability.
In its Emergency Directive 20-04, the DHS’s Cybersecurity and Infrastructure Security Agency (CISA) warns all federal agencies that applying Microsoft’s patches is the only available mitigation for this critical vulnerability, aside from removing affected domain controllers from the environment.
“CISA has determined that this vulnerability poses an unacceptable risk to the Federal Civilian Executive Branch and requires an immediate and emergency action,” the Emergency Directive reads.
Agencies are required to apply the Windows Server August 2020 security update to all domain controllers by Monday, September 21, 2020, at 11:59 PM EDT. In addition to installing the August 2020 patches, agencies are also required to ensure that even newly provisioned or previously disconnected domain controller servers have the updates before they are connected to agency networks.
Furthermore, CISA recommends that agencies use their vulnerability scanning tools along with additional means to ensure that the necessary patches have been deployed.
“These requirements apply to Windows Servers with the Active Directory domain controller role in any information system, including an information system used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information,” CISA says.
Agencies are also required to submit completion reports by 11:59 PM EDT, Wednesday, September 23, 2020.
“This emergency directive remains in effect until all agencies have applied the August 2020 Security Update (or other superseding updates) or the directive is terminated through other appropriate action,” CISA says.
While some experts have described the Zerologon flaw as “scary,” Microsoft has assigned it an exploitability assessment score of “2- exploitation less likely.”
Related: Out-of-Band Update Patches Privilege Escalation Flaws in Windows 8.1, Server 2012
Related: Actively Exploited Windows Spoofing Flaw Patched Two Years After Disclosure
Related: Microsoft Patches Actively Exploited Windows, IE Vulnerabilities