Zerologon Windows exploit lets attackers instantly become admins on enterprise networks

It’s considered good practice among system administrators not to install software updates as soon as they are out unless they purposely fix security flaws. In the case of Windows updates, even more so because of the recent history of poor quality control that results in multiple things breaking after installation. This time, however, the severity of a newly-discovered flaw makes that risk pale in comparison to the risk of compromising your Windows domain.
Security researchers have revealed new proof-of-concept code for a Windows flaw that allows an attacker to easily infiltrate enterprise networks, gain administrative privileges, and get full access to Active Directory domain controllers on Windows servers.

The flaw, dubbed “Zerologon,” is essentially a severe privilege-escalation glitch that Microsoft has addressed in the August 2020 security updates. That means that if you’ve delayed the installation of those patches, you may have a big problem in your hands, as there are now four additional methods demonstrated on GitHub.

When Dutch security company Secura discovered a vulnerability in Netlogon, it was catalogued as a less severe flaw than Zerologon, as it required a person-in-the-middle attack for it to become an effective tool for malicious actors. However, Zerologon allows an attacker to craft an authentication token for the Netlogon Remote Protocol that opens up the possibility to set the computer password of the Domain Controller to something of their choosing.

Researchers explained that the issue stems from the incorrect use of AES-CFB8 encryption, which requires randomly-generated initialization vectors for each authentication message. But because Windows doesn’t take this requirement into consideration, an attacker can input zeros into specific fields to make taking over the domain controller in a matter of seconds, in a process detailed here.

Microsoft’s August 2020 security patch applies this requirement to render all Zerologon attacks ineffective, and Secura has published a Python script that can tell administrators if their Domain Controller has been patched correctly.