Zerologon: a threat to corporate networks

Microsoft quietly fixed one of the most serious bugs ever reported to the company last month. This bug can be exploited to easily take control of Windows servers operating as domain controllers in corporate networks.

The CERT-FR warns

CERT-FR also warns of the seriousness of this flaw and publishes a newsletter about it. It references existing documentation and prompts administrators to deploy fixes.

“If you have not deployed the patches made available by the publisher on August 11, 2020, it is necessary to apply them without delay and to perform information system checks in order to detect a possible compromise. “

The bug was corrected in the Patch Tuesday of August 2020 under the identifier CVE-2020-1472. It is described as an elevation of privilege in Netlogon, the protocol that authenticates users against domain controllers.

This vulnerability was assigned a maximum severity rating of 10, but details were not made public. Which means users and administrators never knew how dangerous the problem was.

A few zeros to take control

But the team from Secura BV, a Dutch security company, finally lifted the veil by releasing a technical report describing CVE-2020-1472 in more depth, announced this Monday on their blog. According to their research, the flaw is truly worthy of its severity score of 10/10 CVSSv3.

Secura experts named this vulnerability Zerologon. They discovered that it takes advantage of a weak cryptographic algorithm used in the Netlogon authentication process.

It thus allows a potential attacker to manipulate the authentication procedures of Netlogon, but also to:

  • impersonate any computer on a network when it tries to authenticate with the domain controller;
  • disable security devices in the Netlogon authentication process;
  • change the password of a computer in the Active Directory of the domain controller (a database of all the computers attached to a domain, and their passwords).

The bottom line, and the reason the flaw has been named Zerologon, is that the attack is carried out by adding the zero (0) character in some Netlogon authentication settings (see the graphic below).


Image : Secura.

The whole attack proceeds very quickly and can last up to three seconds, at most. Also, there is no limit to how an attacker can use it. For example, he can also impersonate the domain controller himself and change his password, which allows him to take over the entire corporate network.

Take control of a corporate network in three seconds

There are, however, some limitations to using a Zerologon attack. For starters, it cannot be used to take control of Windows servers outside of the network. An attacker first needs to gain a foothold within a network. However, when this condition is met, it is literally the end of the game for the attacked company.

“This attack has a huge impact,” warns the Secura team. “It allows any attacker on the local network (such as a malicious employee or someone who has simply plugged a device into a network port on site) to completely compromise the Windows domain. “

In addition, this bug is also a boon for cybercriminal groups, who often rely on infecting a computer within a company’s network and then spreading it to several others. With Zerologon, this task has been greatly simplified.

Patch available – more to come

But releasing a patch update for Zerologon hasn’t been easy for Microsoft – it must have changed the way billions of devices connect to corporate networks, disrupting the operations of countless companies.

The fix is ​​planned in two phases. The first happened last month, when an interim fix was released for the attack in question. He made Netlogon’s security features (which Zerologon disabled) mandatory for all authentication, thus blocking these attacks.

Nonetheless, a more comprehensive patch is planned for February 2021, just in case attackers find a way around the protective measures put in place in August. Unfortunately, Microsoft anticipates that this latest fix will eventually cause problems for authentication on some devices. The details of this second patch are not yet public, however.

A flaw to be exploited

Attackers will most likely use the Zerologon vulnerability, mainly due to its severity, wide impact, and the benefits it presents to them.

Secura has not released a proof of concept code for a Zerologon attack, but it expects those codes to appear after its report goes online.

According to CERT-FR, exploit codes have already been published online, which means that attackers can easily exploit the flaw in malicious attacks.

In the meantime, Secura has published a Python script which allows you to know if the domain controllers have been correctly patched.

Source :

Leave a Comment