Application Security , Fraud Management & Cybercrime , Governance & Risk Management
CISA Pushes Government Agencies to Patch 'Zerologon' Flaw
Federal Agencies Need to Report Compliance by WednesdayU.S. government agencies are supposed to have patched the “Zerologon” vulnerability by now, about six weeks after Microsoft issued a patch.
See Also: The Power of Next-Generation SD-WAN with App-Defined Fabric
The U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency issued an emergency directive on Friday asking agencies to apply the patch no later than midnight Tuesday. Agencies are required to report their compliance by Wednesday.
“CISA has determined that this vulnerability poses an unacceptable risk to the Federal Civilian Executive Branch and requires an immediate and emergency action,” according to CISA’s advisory.
Forecast: Chance of Compromise
CISA can force government agencies to make fixes. But being more public about problematic vulnerabilities is a way to call them to the attention of private companies that might be using the same products, nudging them to also patch the vulnerabilities as soon as possible.
The agency has recently issued advisories about vulnerabilities in F5's BIG-IP network products and Pulse Secure VPN servers.
CISA says the factors leading to the latest directive include the availability of exploit code, the wide use of vulnerable domain controllers, the high chance of compromise and the continued presence of unpatched systems.
If the domain controllers can’t be updated, CISA says those devices should be removed from networks.
Three-Second Attack
The Zerologon vulnerability, CVE-2020-1472, exists in the Microsoft Windows Netlogon Remote Protocol, or MS-NRPC, an authentication component of Active Directory that organizations use to manage user accounts, including authentication and access.
Security firm Trend Micro says a Zerologon attack “can be executed in approximately three seconds, so it could be very dangerous.” An attacker could use the exploit to impersonate the identity of any computer that is authenticating against the domain controller.
“From there, a variety of other attacks, including but not limited to disabling security features, changing passwords and essentially taking over the domain are possible,” the firm warns.
One piece of good news is that the vulnerability can’t be remotely exploited. But if an attacker already has network access, they could use Zerologon to quickly traverse the network.
Looking Ahead
Microsoft issued a Zerologon patch on Aug. 11, but it only provides a partial fix. The update enables domain controllers to protect devices, but a more robust fix from Microsoft will still be required, according to Dustin Childs of the Zero Day Initiative, which is part of Trend Micro.
“A second patch currently slated for Q1 2021 enforces secure Remote Procedure Call (RPC) with Netlogon to fully address this bug,” Childs says in a Trend Micro blog post.
Microsoft has outlined steps administrators should take as well as the implications of its plan to enforce Netlogon’s secure channel connections.
Also, the Samba Team has released a patch for its suite of file and print services for Windows and Linux. Samba also uses the Netlogon protocol. But the default behavior for Samba since version 4.8, which was released in March 2018, has been to use a secure Netlogon channel, according to its advisory.
That behavior is a sufficient defense against known Zerologon exploits, the Samba Team says.