“Zerologon” Understanding the Issues and Applying Solutions

A new CVE was released recently that has made quite a few headlines – CVE-2020-1472. Zerologon, as it’s called, may allow an attacker to take advantage of the cryptographic algorithm used in the Netlogon authentication process and impersonate the identity of any computer when trying to authenticate against the domain controller.

To put that more simply, this vulnerability in the Netlogon Remote Protocol (MS-NRPC) could allow attackers to run their applications on a device on the network. An unauthenticated attacker would use MS-NRPC to connect to a Domain Controller (DC) to obtain administrative access.

According to Dustin Childs with Trend Micro’s Zero Day Initiative (ZDI), “What’s worse is that there is not a full fix available. This patch enables the DCs to protect devices, but a second patch currently slated for Q1 2021 enforces secure Remote Procedure Call (RPC) with Netlogon to fully address this bug. After applying this patch, you’ll still need to make changes to your DC. Microsoft published guidelines to help administrators choose the correct settings.”

But if there’s a patch, why is this a big deal?
You might be thinking, “Well if there’s a patch, this really isn’t an issue.” But the idea of “just patch it” is not as easy as it sounds – check out this post (also from Dustin with the ZDI) for more insights on barriers to patching.

The average Mean Time to Patch (MTTP) is 60 to 150 days. This CVE was published in early August, so that would put the average time for implementing this patch between October 2020 and January 2021.

You have maybe heard the security industry joke that after Patch Tuesday comes Exploit Wednesday. That’s the comedic way to suggest that after a batch of patches for new CVEs are released the first Tuesday of every month from Microsoft and Adobe, attackers get to work reversing the patches to write exploits to take advantage of the bugs before patches have been applied.

Given the MTTP, that’s 2-5 months that your organization is left exposed to a known threat.

So what can I do to protect my organization?
Fortunately, there are advanced protections available for organizations to stay protected, including virtual patching. This provides an extra layer of security to help protect against vulnerabilities before you apply the official vendor patch. As the name suggests, it’s very similar to a patch because it is specifically designed to protect your environment with intrusion protection system (IPS) capabilities in case someone attempted to exploit that vulnerability. In general, virtual patches can be a critical safety net to allow you to patch in the way that works for your organization.

With Trend Micro, our virtual patching technology helps you mitigate attacks focused on thousands of vulnerabilities, giving you the flexibility to patch regularly without breaking your operational processes for every emergency patch. Other features, such as log inspection, also help you get valuable insight into post-patch exploitation attempts on your network even after you have fully patched. To learn more about Trend Micro protection for CVE-2020-1472, read our knowledge base article here.

On September 11, 2020, detailed technical information was made public regarding a critical Microsoft Windows vulnerability (CVSS 10) that was included in Microsoft’s August 2020 Patch Tuesday set of updates and appears to affect all currently supported Windows Server (2008 R2 and above).

When originally disclosed in August, the vulnerability was given the official designation of CVE-2020-1472, but not much detail on the vulnerability itself was made public.

However, we know that this vulnerability, now dubbed “Zerologon,” may allow an attacker to take advantage of the cryptographic algorithm used in the Netlogon authentication process and impersonate the identity of any computer when trying to authenticate against the domain controller. From there, a variety of other attacks, including but not limited to disabling security features, changing passwords, and essentially taking over the domain are possible.

The entire attack as demonstrated, is very fast, and can be executed in approximately 3 seconds, so it could be very dangerous. In addition, Trend Micro is now aware of weaponized proof-of-concept code that has been made publicly available, meaning that real exploits could be close behind.
Mitigation and Protection

First and foremost, the first line of protection against this vulnerability is to ensure that all affected systems are patched with Microsoft’s latest security update. This continues to be the primary recommendation for protection against any exploit that that may arise from this vulnerability.

According to the research, there is one serious limitation to exploits of this vulnerability – specifically it cannot be exploited remotely. An attacker will first need to gain access to the network domain via other means (legitimately or not). So one major mitigation point would be to ensure that network access (both physical and remote) are carefully guarded. However, if an attacker has obtained access to a network via another vulnerability or legitimately, this could become a powerful exploit.

Trend Micro Protection

To assist customers, Trend Micro has created and released some additional layers of protection in the form of Deep Security and Cloud One – Workload Security IPS rules and TippingPoint filters that may help organizations strengthen their overall security posture, especially in situations where comprehensive patching may take time or is not feasible.

IPS Rules

Deep Security and Cloud One – Workload Security, Vulnerability Protection and Apex One Vulnerability Protection (iVP)
Rule 1010519 – Netlogon Elevation of Privilege Vulnerability (CVE-2020-1472)
Rule 1010521 – Netlogon Elevation of Privilege Vulnerability Over SMB (CVE-2020-1472)
Rule 1010539 – Identified NTLM Brute Force Attempt (ZeroLogon) (CVE-2020-1472)
Please note that the rules are already set to Prevent.

Worry-Free Business Security Services
Microsoft Windows Netlogon Elevation Of Privilege Vulnerability Over SMB (CVE-2020-1472)
Microsoft Windows Netlogon Elevation Of Privilege Vulnerability (CVE-2020-1472)
Filter 38166: MS-NRPC: Microsoft Windows Netlogon Zerologon Authentication Bypass Attempt
Filter 38235: MS-NRPC: Microsoft Windows NetrServerAuthenticate Request
Please note that the posture on this filter has been changed to Enable by Default.

Trend Micro TxONE
1137620: RPC Netlogon Elevation of Privilege Vulnerability (CVE-2020-1472)

Other Inspection / Detection Rules

Deep Security Log Inspection
1010541 – Netlogon Elevation Of Privilege Vulnerability (Zerologon) (CVE-2020-1472)
This Log Inspection (LI) rule for Deep Security gives administrators visibility into potential exploit activity. Due to the complexity of this vulnerability, the Log Inspection rule will only log activities against systems that have already applied the Microsoft patch. Administrators who have patched critical servers with Deep Security may find this information useful internally to help accelerate patching of endpoints and non-critical systems if there is evidence of activity in their environment.

Deep Discovery Inspector

Trend Micro is continuing to aggressively look into other forms of detection and protection to assist our customers, but we do want to continue to reiterate that the primary recommendation is to apply the official Microsoft patches as soon as possible. We will continue to update this article and our customers if/when additional layers of protection are found.

Trend Micro Blog: Zerologon” and the Value of Virtual Patching – https://www.trendmicro.com/en_us/research/20/i/zerologon-and-value-of-virtual-patching.html
Trend Micro Video (Youtube) – Cloud One – Workload Security about Zerologon
Microsoft Advisory – https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472

Source :