Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

DHS Orders Federal Agencies to Immediately Patch ‘Zerologon’ Vulnerability

The Department of Homeland Security (DHS) on Friday issued an Emergency Directive that requires federal agencies to install fixes for a Netlogon elevation of privilege vulnerability for which Microsoft released patches in August 2020.

The Department of Homeland Security (DHS) on Friday issued an Emergency Directive that requires federal agencies to install fixes for a Netlogon elevation of privilege vulnerability for which Microsoft released patches in August 2020.

Tracked as CVE-2020-1472 and discovered by researchers at cybersecurity firm Secura, the issue exists in the Microsoft Windows Netlogon Remote Protocol (MS-NRPC) “when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller,” Microsoft explains in its advisory.

An unauthenticated attacker can exploit the bug through a specially crafted application that runs on a device on the network. The attacker connecting to a domain controller via Netlogon would be granted domain administrator access.

Referring to the issue as Zerologon, Secura researchers explain that the vulnerability has been assigned a CVSS score of 10. They also published technical details on the security flaw, along with a tool to check for vulnerable systems, and recommend installing the available patches on all Active Directory domain controllers.

“The patch that addresses Zerologon also implements some additional defense-in-depth measures that forces domain-joined machines to use previously optional security features of the Netlogon protocol. An update in February 2021 will further tighten these restrictions, which may break some third-party devices or software,” Secura says.

Several proof-of-concept (PoC) exploits have already been published for the Zerologon vulnerability.

In its Emergency Directive 20-04, the DHS’s Cybersecurity and Infrastructure Security Agency (CISA) warns all federal agencies that applying Microsoft’s patches is the only available mitigation for this critical vulnerability, aside from removing affected domain controllers from the environment.

“CISA has determined that this vulnerability poses an unacceptable risk to the Federal Civilian Executive Branch and requires an immediate and emergency action,” the Emergency Directive reads.

Advertisement. Scroll to continue reading.

Agencies are required to apply the Windows Server August 2020 security update to all domain controllers by Monday, September 21, 2020, at 11:59 PM EDT. In addition to installing the August 2020 patches, agencies are also required to ensure that even newly provisioned or previously disconnected domain controller servers have the updates before they are connected to agency networks.

Furthermore, CISA recommends that agencies use their vulnerability scanning tools along with additional means to ensure that the necessary patches have been deployed.

“These requirements apply to Windows Servers with the Active Directory domain controller role in any information system, including an information system used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information,” CISA says.

Agencies are also required to submit completion reports by 11:59 PM EDT, Wednesday, September 23, 2020.

“This emergency directive remains in effect until all agencies have applied the August 2020 Security Update (or other superseding updates) or the directive is terminated through other appropriate action,” CISA says.

While some experts have described the Zerologon flaw as “scary,” Microsoft has assigned it an exploitability assessment score of “2- exploitation less likely.”

Related: Out-of-Band Update Patches Privilege Escalation Flaws in Windows 8.1, Server 2012

Related: Actively Exploited Windows Spoofing Flaw Patched Two Years After Disclosure

Related: Microsoft Patches Actively Exploited Windows, IE Vulnerabilities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Defense contractor Nightwing has appointed Tricia Fitzmaurice as Chief Growth Officer.

Xage Security has appointed Russell McGuire as CRO and Ashraf Daqqa as VP of the META region.

Solana co-founder Stephen Akridge has been appointed the CEO of data protection firm Cyber Grant.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.