If you had any doubts about the criticality of the Zerologon vulnerability (CVE-2020-1472) affecting Windows Server, here is a confirmation: the US Cybersecurity and Infrastructure Security Agency (CISA) has issued on Friday an emergency directive instructing federal agencies to “immediately apply the Windows Server August 2020 security update to all domain controllers” – and to do so by the end of Monday (September 21).
“If affected domain controllers cannot be updated, ensure they are removed from the network,” CISA advised.
To make sure the order has been complied with, the agency asks department-level Chief Information Officers (CIOs) or equivalents to submit completion reports by Wednesday.
About the vulnerability
Security updates fixing CVE-2020-1472, a privilege elevation vulnerability in the Netlogon Remote Protocol (MS-NRPC), were provided by Microsoft in August, and the researchers who discovered the bug revealed more technical information about it last week.
That release was followed by the publication of a slew of PoC exploits.
Zerologon’s severity stems from the fact that it can be leveraged by an unauthenticated attacker with network access to a domain controller to impersonate any domain-joined computer, including a domain controller.
“Among other actions, the attacker can set an empty password for the domain controller’s Active Directory computer account, causing a denial of service, and potentially allowing the attacker to gain domain administrator privileges. The compromise of Active Directory infrastructure is likely a significant and costly impact,” CERT/CC says.
The risk
“CISA has determined that this vulnerability poses an unacceptable risk to the Federal Civilian Executive Branch and requires an immediate and emergency action,” the agency noted in the emergency directive.
“This determination is based on the following: the availability of the exploit code in the wild increasing likelihood of any upatched domain controller being exploited; the widespread presence of the affected domain controllers across the federal enterprise; the high potential for a compromise of agency information systems; the grave impact of a successful compromise; and the continued presence of the vulnerability more than 30 days since the update was released.”
State and local governments should heed this call as well, not to mention organizations in the private sector.
We’re still to hear about the vulnerability being actively exploited in the wild, but it’s just a matter of time until attackers gain the ability to leverage it and start doing it.