Application Security , Fraud Management & Cybercrime , Governance & Risk Management

CISA Pushes Government Agencies to Patch 'Zerologon' Flaw

Federal Agencies Need to Report Compliance by Wednesday
CISA Pushes Government Agencies to Patch 'Zerologon' Flaw
CISA Director Christopher Krebs

U.S. government agencies are supposed to have patched the “Zerologon” vulnerability by now, about six weeks after Microsoft issued a patch.

See Also: 2023 Gartner Market Guide for CNAPP

The U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency issued an emergency directive on Friday asking agencies to apply the patch no later than midnight Tuesday. Agencies are required to report their compliance by Wednesday.

“CISA has determined that this vulnerability poses an unacceptable risk to the Federal Civilian Executive Branch and requires an immediate and emergency action,” according to CISA’s advisory.

Forecast: Chance of Compromise

CISA can force government agencies to make fixes. But being more public about problematic vulnerabilities is a way to call them to the attention of private companies that might be using the same products, nudging them to also patch the vulnerabilities as soon as possible.

The agency has recently issued advisories about vulnerabilities in F5's BIG-IP network products and Pulse Secure VPN servers.

CISA says the factors leading to the latest directive include the availability of exploit code, the wide use of vulnerable domain controllers, the high chance of compromise and the continued presence of unpatched systems.

If the domain controllers can’t be updated, CISA says those devices should be removed from networks.

Three-Second Attack

The Zerologon vulnerability, CVE-2020-1472, exists in the Microsoft Windows Netlogon Remote Protocol, or MS-NRPC, an authentication component of Active Directory that organizations use to manage user accounts, including authentication and access.

Security firm Trend Micro says a Zerologon attack “can be executed in approximately three seconds, so it could be very dangerous.” An attacker could use the exploit to impersonate the identity of any computer that is authenticating against the domain controller.

“From there, a variety of other attacks, including but not limited to disabling security features, changing passwords and essentially taking over the domain are possible,” the firm warns.

One piece of good news is that the vulnerability can’t be remotely exploited. But if an attacker already has network access, they could use Zerologon to quickly traverse the network.

Looking Ahead

Microsoft issued a Zerologon patch on Aug. 11, but it only provides a partial fix. The update enables domain controllers to protect devices, but a more robust fix from Microsoft will still be required, according to Dustin Childs of the Zero Day Initiative, which is part of Trend Micro.

“A second patch currently slated for Q1 2021 enforces secure Remote Procedure Call (RPC) with Netlogon to fully address this bug,” Childs says in a Trend Micro blog post.

Microsoft has outlined steps administrators should take as well as the implications of its plan to enforce Netlogon’s secure channel connections.

Also, the Samba Team has released a patch for its suite of file and print services for Windows and Linux. Samba also uses the Netlogon protocol. But the default behavior for Samba since version 4.8, which was released in March 2018, has been to use a secure Netlogon channel, according to its advisory.

That behavior is a sufficient defense against known Zerologon exploits, the Samba Team says.

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.