A critical vulnerability in Microsoft Netlogon was patched in the August patch cycle – but was so dangerous that details were not made public until September when (hopefully) many systems would have been patched.  If you have not applied the August patch bundle to your domain controllers stop reading and go do it now. Really – it’s that bad.

The Zerologon vulnerability has a maximum CVSS score of 10, and is rated as critical by Microsoft.  Last week the US CISA issued a rare instruction legally compelling federal sys admins to apply the patch by 21^stSeptember.

Tracked as CVE-2020-1472 the vulnerability in the Microsoft Netlogon Remote Protocol allows an unauthenticated user to change passwords on the Domain Controller and then leverage that access to take over the whole domain.  The flaw is in Microsoft’s implementation of AES-CFB8 which erroneously uses predictable initialisation vectors for the cipher – meaning every 256 attempts, vectors of all zeros are used. This knowledge can be used to brute force the credentials for any Windows login in a few seconds – as there is no throttling or account lockout implemented with respect to these Netlogon authentications.  Proof of concept code is now available on Github.

Many other devices and service make use of the Netlogon Remote Protocol including some versions of Samba when used as domain controller.  Because the flaw was in the protocol implementation which Samba copied, patching the Microsoft Server will not also protect Samba which will need its own patch applied.  Microsoft’s security advisory contains details of mitigation steps and a planned future update in 2021 which will further secure the protocol.

Network Managers can use vulnerability scans to help identify missing critical patches and implement a vulnerability management policy to ensure patching is implemented promptly and safely each month on their network.