Active Directory (AD) would need to recognize the connecting client as being within its logical topology, which external addresses wouldn’t have. The attack requires that the spoofed login works like a normal domain login attempt. A vulnerable client or DC exposed to the internet is not exploitable by itself. In order to exploit this vulnerability, the attacker would need to launch the attack from a machine on the same Local Area Network (LAN) as their target. Secura’s whitepaper also notes that an attacker would be able to simply run Impacket’s ‘secretsdump’ script to pull a list of user hashes from a target DC. Further attacks are then possible, including the complete takeover of a Windows domain. An attacker can exploit this flaw to impersonate the identity of any machine on a network when attempting to authenticate to the Domain Controller (DC). The ComputeNetlogonCredential function in Netlogon sets the IV to a fixed 16 bits, which means an attacker could control the deciphered text. The AES-CFB8 standard requires that each byte of plaintext, like a password, must have a randomized initialization vector (IV) so that passwords can’t be guessed. AnalysisĬVE-2020-1472 is a privilege escalation vulnerability due to the insecure usage of AES-CFB8 encryption for Netlogon sessions. This disclosure follows a previous Netlogon related vulnerability, CVE-2019-1424, which Secura detailed at the end of last year. Zerologon was patched by Microsoft in the August Patch Tuesday round of updates. On September 11, researchers at Secura published a blog post for a critical vulnerability they’ve dubbed “Zerologon.” The blog post contains a whitepaper explaining the full impact and execution of the vulnerability, identified as CVE-2020-1472, which received a CVSSv3 score of 10.0, the maximum score. Update: October 02, 2020: The ‘Identifying Affected Systems’ section has been updated to highlight the release of the Zerologon scan template for Nessus and Tenable.io. Update: September 21, 2020: The ‘Identifying Affected Systems’ section has been updated to include instructions for our new unauthenticated check for Zerologon. Security researchers reveal how the cryptographic authentication scheme in Netlogon can be exploited to take control of a Windows domain controller (DC).
0 Comments
Leave a Reply. |