Zerologon vulnerability, technical name CVE-2020-1472, is a vulnerability that targets the Netlogon protocol. This vulnerability, if exploited, can allow a cybercriminal to gain access to and disrupt the normal operating capabilities of the domain controllers.
Zerologon was discovered by a Dutch cybersecurity expert associated with Secura in September 2020. Microsoft, just a few months back, in August 2020 to be exact, released a patch that closed several security concerns. CVE-2020-1472 was one of them.
Zerologon vulnerability was categorized as a ‘critical’ security concern by cybersecurity experts. To put it into context, Zerologon scored 10.0 in the Common Vulnerability Scoring System.
CVE-2020-1472 can attack domain controllers by exploiting a flaw previously found in the cryptographic authentication scheme known as Netlogon Remote Protocol.
This protocol aims to authenticate both machines and their users when the former are connected to domain-based networks. Another purpose of Netlogon Remote Protocol is to allow users to alter the passwords of computers remotely.
Where does Zerologon vulnerability sit in all of this!?
Well, through Zerologon vulnerability, cybercriminals can portray themselves as client computers. The next phase of an attack will be an attempt to change the password of a domain controller(s).
What are domain controllers?
Domain controllers are responsible for controlling a network and running Active Directory services in the background.
What is the result of exploiting zerologon vulnerability?
With zerologon vulnerability, cybercriminals will be able to gain domain administrative rights!
Who are vulnerable to this attack?
CVE-2020-1472 is a risk for enterprises with IT infrastructures that use networks managed by domain controllers running Microsoft Windows.
The severity of zerologon should not be undermined. Cybersecurity experts were quick to warn business executives about the fact that cybercriminals can exploit the zerologon vulnerability of Netlogon protocols in servers that are running any version of the following –
- Windows Server 2019
- Windows Server 2016
- Windows Server version 1909
- Windows Server version 1903
- Windows Server version 1809 (both standard and Datacenter editions)
- Windows Server 2012 R2
- Windows Server 2012 as well as
- Windows Server 2008 R2 (Service Pack 1).
How does an attack commence?
An attack using zerologon vulnerability can take place only when a cybercriminal penetrates the closed network of a corporation.
There is a silver lining to this story, though –
There are no reports of real-world cyber attacks that took place using zerologon vulnerability. Furthermore, there is no proof of concept let alone malware in the deep or dark web, that can back up the theories of cybersecurity researchers.
How to keep zerologon attacks at bay?
First off, Microsoft is known for releasing patches as soon as it finds out security concerns in its products. Since the company has already patched zerologon vulnerability by releasing a patch back in August 2020; security experts recommend that company executives make sure that all the domain controllers used by their ventures are updated.
Another way to keep zerologon vulnerability based attacks at bay is to monitor login attempts made using domain controllers running vulnerable versions of Netlogon protocol.