Zerologon Attack Lets Hackers Take Over Enterprise Networks Within 3 Seconds

An anonymous reader writes: Researchers have developed and published a proof-of-concept exploit for a recently patched Windows vulnerability that can allow access to an organization's crown jewels -- the Active Directory domain controllers that act as an all-powerful gatekeeper for all machines connected to a network.

CVE-2020-1472, as the vulnerability is tracked, carries a critical severity rating from Microsoft as well as a maximum of 10 under the Common Vulnerability Scoring System. Exploits require that an attacker already have a foothold inside a targeted network, either as an unprivileged insider or through the compromise of a connected device. However, when this condition is met, it's literally game over for the attacked company, as an attacker can hijack its entire network within three seconds by leveraging a bug in the Netlogon authentication protocol cryptography by adding zero characters in certain Netlogon authentication parameters, bypassing authentication procedures and then changing the password for the DC server itself. The technical report from Secura B.V., a Dutch security firm, is available here.

no sanitisation, compromised by"adding characters"

[johnjones]

honestly so much for Microsoft paying attention to security...

the sooner organisations kill active directory the better but honestly, I don't see how they can right now... talk about antitrust...

suggestions for active directory replacement/alternative?

Re:

[hcs_$reboot]

LDAP and co

Re:Here comes the wave of ransomware attacks!

[DontBeAMoran]

Systems built using windows are fragile, that's why I build mine with bricks.

Re:

[DontBeAMoran]

"Hey dude, your system just bricked itself!"
"Don't worry, it's just the OS doing its job!"

Most secure OS ever.

Re:

[FaxeTheCat]

What a stupid attitude. Wanting bad things to happen to others is a clear sign of immaturity.

Re:

[sabbede]

I like how some think that people who don't share their preferences deserve to have bad things happen to them. Well, not "like" so much as "sneer at with utter contempt".

Re:no sanitisation, compromised by"adding characte

[Z00L00K]

There's no replacement for a Microsoft environment, the AD is just way too convoluted and not very easy to understand and set up in a secure way anyway.

The only way to achieve security within an organization is to build small isolated networks with physical separation in the organization. So HR has one net, Development one, Customer Service one etc. Then have well defined interfaces between the networks whenever necessary.

It will create more administration and require more IT personnel that can't work remotely due to the security risks that creates.

And don't get me started on "the cloud", that's even worse because then the domains are more or less exposed to the cloud services. Imagine the effect if there's a major hole in OneDrive provided by Microsoft that allows an attacker to worm into every company utilizing that service.

Re:

[Sique]

And then you have guys like me who are part-time working in Field Services and part-time in Backlevel support, and all of a sudden, your nice separation is gone.

Re:

[Sique]

PS: It might even get worse if you have other applications in your company that use the AD as a repository. Let's say you have the company telephone switch connected to AD, for the attendant to look up persons within the company, their schedule and their colleagues. In your scenario, you'll need a separate phone book for each department. The IT department that sets up the new laptop, mobile phone and e-mail address for new hires, has to work with separate ADs for each department etc.pp.. Basically, not havi

Re:

[Z00L00K]

Not good for you if the security officer finds out that it has happened.

Re:

[Sique]

This was decided at the management level. Thus I am now time sharing between Backlevel support and Field services.

Re:

[Antique Geekmeister]

I'll agree that most LDAP configurations are distorted, very quickly, by the Microsoft GUI and the practices taught to Active Directory administrators. It's compounded by the numerous unnecessary services and tools normally built into a Windows Server system, and the closed source operating system. It's why I use Samba when I have to run my own server, and encourage it for others in place of Microsoft based systems. The high availability functionality on far less expensive contracts or licenses, coupled wit

Re:

[FaxeTheCat]

We used to do it this way. It was called NT4.

Re:no sanitisation, compromised by"adding characte

[lucifer_666]

You do realise this was patched in last months cumulative update right?

The only reason the security researcher was able to code the proof of concept exploit was that MS published the CVE after it was patched....

If you think any OS, including Linux, doesn't have unpublished or unreported or undiscovered vulnerabilities, you're dreaming.

Re:

[Entrope]

Not all unlatched vulnerabilities have CVSS ratings of 10.0 like this one, though. It was patched just a month after Microsoft patched a CVSS 10.0 vuln in their DNS server software -- and that one was 17 years old. Linux and the BSDs are not perfect, but they do not have the density of critical security holes that Windows has.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:no sanitisation, compromised by"adding characte

[Waffle Iron]

no sanitisation, compromised by"adding characters"

I actually read TFWP, and it turns out they don't really add characters at all. (I was curious to see if they were doing something like abusing the network protocol to confuse C string handling.) It's more interesting than that.

The login protocol encrypts a small authentication token using a random session key. The system uses AES in an obscure serial mode, but it stupidly uses an all-zero initialization vector. The researcher found that any session key that happens to start with zero will produce an all-zero result token given the AES mode and zeroed IV. So one time out of 256 tries on average, an all-zero authentication token will match. They just keep trying to authenticate with an all-zero token until they get in.

Re:no sanitisation, compromised by"adding characte

[clovis]

I read that too. My first thought was, nice backdoor and I wonder how long that's been abused and by whom.
I mean really, how could initializing a session key with a fixed value get by any code review for so long? I know I'm excessively paranoid, but this piece of code has been alive longer than some of the posters here. I'm suspicious.

Re:

[aderuwe]

Ah that's why the 3 minute timing is mentioned, it must be the average time to do those 256 tries.

Neat.

Re:

[thegarbz]

suggestions for active directory replacement/alternative?

I assume you're asking for perfectly coded bug free alternatives given the context of the discussion. Well here's an exhaustive list:

---
End of List

Re:

[FaxeTheCat]

The patch was out a month ago...

Re:

[sabbede]

Azure AD? Samba 4's implementation?

If it makes you feel better, it was patched last month.

Besides, I like AD. There really isn't a great alternative that isn't also a form of AD.

Re:

[gweihir]

Indeed. AD is an abomination and it looks like it cannot be fixed. Or at least MS cannot fix it or does not care enough to do so.

Re:

[skids]

If we could get users to accept less features and then slowly claw back features over time as they are carefully engineered, we could get a handle on security problems.

Good luck with that.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Cyber warfare

[theCoder]

So bad in fact, it could start a real kinetic war if the finger pointing leads to a nation-state sponsoring this.

I doubt any country would really attack the United States for harboring Microsoft.

Zero characters

[enriquevagu]

by adding zero characters

Or maybe adding some zeros, or some characters zero.

Re:

[DontBeAMoran]

Or perhaps adding literally the Zero character [wikipedia.org].

Re:

[guruevi]

More likely NULL characters (ASCII 00)

I don't feel sorry for their clients

[hcs_$reboot]

Proprietary programs rely on a false sense of security, namely security by obscurity. No one has public access to the source code, and it works until someone finds one of the security holes. Open source is supported by the dense network of developers around the world that give warnings about this or that part of the code, can provide patches, and usually avoid a 0-day exploit. Proprietary software developers are overwhelmed by the increasing complexity of their own dark structures, without always having the

Windows

[stooo]

You chose Windows.
Live with it
Die with it.

Re:I don't feel sorry for their clients

[FaxeTheCat]

What is more false sense of security than believing that there is a dense network of people looking for bugs in the software?

Yep, I believe we're here

[raymorris]

We are here. I'd say more, but I gotta run double check all.our AD servers to make sure the Infra-Systems team patched them last month like we told them to.

Then I need to finish up looking over thr code for, and testing, the non-executable stack in Linux. Monday, it was the stack canary in Linux, studying the code and doing some tests.

Last week I discovered something interesting - using virtualization significantly *reduces* the security of the guest OS and security boundaries between applications on the s

Re:

[skids]

your sensitive applications on dedicated VMs, one VM per application

And soon we'll have as many physical boxes for VM nodes as we did back before we virtualized.

Maybe we should go back to using a single OS running multiple apps in strict security contexts (in other words, "go forward" to containers). It seems rather inefficient to engage in care and feeding of so many full-fledged OS instances.

See your own signature! Just a kernel, 48MB

[raymorris]

> It seems rather inefficient to engage in care and feeding of so many full-fledged OS instances.

Click on your sig and think about that. :)

All you need to run an app is a minimal kernel (no hardware decide drivers needed) and essentially an initramfs, though you can run that 40MB Linux from disk rarher than RAM.

You don't need a Gnome desktop and web browser to run a radius server or whatever. 48 MB of RAM and 48 MB os perfectly fine for a base Linux that gives you a command line then install your app.

Typo: 48MB disk, 48MB RAM. Really just the kernel

[raymorris]

I had a typo. 48MB of disk and 48 MB of RAM.
No need to install and maintain 300 programs to run just one.

Pretty much, you've got your kernel, your app, sshd and rsyslog. That's all you need to maintain.

But you knew that, because it's not Windows 8 that you ran on that printer. :)

Re:

[skids]

Yeah, I know that. But out here in the "Real World" over half our services are running on Windows VMs.

Re:

[retchdog]

My heart bleeds for him.

Re:I don't feel sorry for their clients

[Mr. Barky]

This isn't really a problem of proprietary vs. closed source. There may be many advantages of open source software, but immunity to security bugs is not one of them. This stuff is hard and the tiniest error in the obscurest function might create one. No amount of code review will find all potential problems. Even if the code is "perfect" (100% to specification) there are likely to be flaws in the specifications somewhere.

Any software that has such a critical place will eventually get hacked (possibly multiple times - many actors prefer not to publish what they find so it doesn't get fixed).

My bet is that Microsoft has some of its best developers on this sort of code and very, very strict rules on committing changes.

Re:

[skids]

Any software that has such a critical place will eventually get hacked

Blanket statements like this ignore proven mathematical realities surrounding encryption. If you start with a simple reference implementation and a full understanding of cryptography and keep your feature set small, there are only a finite number of ways to f**k it up. Comprehensive review will eventually eliminate all of them. After that the only threats you face are errors introduced when features are added, and errors introduced when the assumptions about the underlying hardware platform are violated

Re:

[Mr. Barky]

It is probably too late for this comment to be seen :)

There are only a finite number of ways to create a program in a 64-bit space, so there are of course only a finite number of ways to f**k up any program. But that number is always sufficiently large that "unlimited" is probably a good description of the number of ways.

Comprehensive review is, of course, essential for any critical software. Mathematical proofs can validate only a small part of a program. A mathematical proof will have to be approximately

Re:

[skids]

There are only a finite number of ways to create a program in a 64-bit space, so there are of course only a finite number of ways to f**k up any program.

There are 26**N ways to write an N character english sentence. Only a very small subset will look like anything but gibberish and would actually be written by a human. Enough people checking the grammar and spelling will eventually fix all the errors in sentences that were subject to that process.

Treating these programs as "software" is not proper product engineering. You must consider the underlying hardware, and if you are in the business of offering security guarantees, prevent the product from being

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[gweihir]

The Microsoft crap is just wayyyy more flawed. If this were a rational world, they would have been kicked out of every enterprise a long time ago. But people fear change and they will just stick with what they think they know.

..sort of true

[martynhare]

A vulnerability in Mozilla Firefox counts as a Debian Linux bug and a vulnerability in a hardware driver counts too - while in many cases it doesn't show up for Windows because Windows ships with sod all by comparison. Once you've installed everything you plan to use, Windows security takes an instant nosedive in terms of vulnerabilities on paper.

However, unlike macOS and Windows... Linux has no proper measures to prevent surreptitious tampering with userspace binaries. Windows has the ability to deploy

Re:

[account_deleted]

Comment removed based on user account deletion

*shrug*

[Mr. Dollar Ton]

Subby wrongly assumes every *enterprise network* is a Windows one. Hint: that's not the case.

You deserve what you get.

[Anonymous Coward]

If you're using a smoking pile of horse manure like Windows and expect security then you deserve what you get. It's closed source, proprietary, riddled with security holes, and poorly designed. Sure, UNIX variants have some problems with obscurity too (systemd anyone?) but at least the source is available and they actually cared about security. There have been problems over the years like password hashes being publically viewable in /etc/password, but that was fixed with shadow maybe two decades ago. Anyone

Re:

[FaxeTheCat]

>If you're using a smoking pile of horse manure like Windows and expect security then you deserve what you get.
Wishing bad things to happens to others because they to not conform to your ideal picture of the world is at best immature.

The most secure OS ever

[flyingfsck]

Just as secure as Windows ME.

Re:

[thegarbz]

They never claimed that about AD servers, just Windows 10 ;-)

Do it in one second now

[AndyKron]

It takes them three seconds? Kids!

Re:

[guruevi]

It's just AD being slow.