Zerologon

Last updated

Zerologon
CVE identifier(s) CVE- 2020-1472
Date discovered17 August 2020;4 years ago (2020-08-17)
Date patched11 February 2021;4 years ago (2021-02-11)
DiscovererTom Tervoort from Secura [1]
Affected software Netlogon Remote Protocol

Zerologon (formally: CVE - 2020-1472) is a privilege elevation vulnerability in Microsoft's authentication protocol Netlogon Remote Protocol (MS-NRPC) , as implemented in the Windows Client Authentication Architecture and Samba. [2] The vulnerability was first reported to Microsoft by security researcher Tom Tervoort from Secura on 17 August 2020 and dubbed "Zerologon". [1] [3] Zerologon was given a Common Vulnerability Scoring System v3.1 severity ranking of 10 by the U.S. American National Institute of Standards and Technology and a 5.5 by Microsoft. Crowdstrike classifies it as the most severe Active Directory vulnerability of 2020. [4]

Contents

The vulnerability allows an adversarial user of the network to be authenticated by a Domain Controller (DC) and further impersonate the DC to elevate to domain admin privileges. [4] It allows attackers to access all valid usernames and passwords in each Microsoft network that they breached. [5] [6] This in turn allows them to access additional credentials necessary to assume the privileges of any legitimate user of the network, which in turn can let them compromise Microsoft 365 email accounts. [5] [6]

Background

The Netlogon Remote Protocol (MS-NRPC) is a Microsoft protocol used for authentication and secure communication between clients and DCs in a Windows network environment. It facilitates the exchange of authentication data and the establishment of secure channels for communication, enabling clients to authenticate against Active Directory and other network services. The protocol plays a key role in domain join operations, password changes, and other security-related tasks within a Windows domain. [7]

Behavior

The original report by Secura explains the exploit in five steps. [4]

Bypassing the authentication

AES-CFB8 performed on an all-zero 16-byte IV concatenated with an all-zero 8-byte client challenge using the session key as the AES key, resulting in an all-zero 8-byte Netlogon client credential. Aes CFB8 with zero vectors.jpg
AES-CFB8 performed on an all-zero 16-byte IV concatenated with an all-zero 8-byte client challenge using the session key as the AES key, resulting in an all-zero 8-byte Netlogon client credential.

The attack focuses on the DC of a network. MS-NRPC relies on a challenge–response authentication to generate a session key and client credentials from a shared secret (such as a passphrase), along with client and server challenges. The client credentials are computed from the session key, an initialization vector (IV), and the client challenge using a less common Advanced Encryption Standard (AES) block cipher mode, namely 8-bit Cipher Feedback Mode (AES-CFB8). Because the server challenge is randomly generated, the resulting session key is also effectively random and is then used to encrypt the IV and the client challenge. In 1 out of 256 cases, the AES-encrypted ciphertext starts with a zero byte, which is XOR´ed with the first byte of the client challenge. If the client challenge is set to all zero, the result will also be a zero byte. In the next encryption round, the AES input is shifted to include the just XOR’ed byte. Since the input remains all zeros and the session key does not change, each subsequent calculation will also produce zero bytes. The server-computed client credentials are then compared to those sent by the client, which an attacker could have also set to all zeros. The client is now authenticated. [4] [3]

Disabling signing and encryption

To circumvent signing and encryption with the session key (which the attacker does not know) that is performed by MS-NRPC, an attacker can disable it by omitting a flag in the authentication RPC call. [4] [3]

Spoofing RPC calls

Another obstacle the attacker must overcome is the so-called authenticator value used by Netlogon, that is required for some calls. This value is computed from an incrementing value held by the client, the client credentials, and a timestamp. If the incrementing value is set to all-zero by the client and the timestamp is also set to all-zero when an RPC call is invoked, the server will set the authenticator to all-zero as well, allowing the attacker to carry out the call. [4] [3]

Setting the password

In the penultimate step, the password is set to an empty one, allowing the attacker to follow the normal protocol procedure from this point on. [4] [3]

Elevating to domain admin

It is possible for the attacker to impersonate not just any user on the domain, but the domain controller itself. Once logged in, the attacker can retrieve hashed credentials from the DC, enabling a Pass the hash attack and ultimately elevating to the domain administrator. [4] [3]

Mitigation

Microsoft addressed the Zerologon vulnerability through two security updates. A less strict one in August 2020 and a later one in February 2021 that enforces signing and encryption for MS-NRPC calls by default, with the ability to allow certain devices to handle legacy support. [8]

Response and impact

In 2020, Zerologon started to be used by sophisticated cyberespionage campaigns of threat groups such as Red Apollo in global attacks against the automotive, engineering and pharmaceutical industry. [9] Zerologon was also used to hack the Municipal wireless network of Austin, Texas. [5]

Unusually, Zerologon was the subject of an emergency directive from the United States Cybersecurity and Infrastructure Security Agency. [10]

See also

References

  1. 1 2 "Netlogon Elevation of Privilege Vulnerability". Microsoft. Retrieved 13 December 2024.
  2. "Zerologon: Samba Netlogon Elevation of Privilege Vulnerability (CVE-2020-1472)". RedHat. 25 September 2020. Retrieved 13 December 2024.
  3. 1 2 3 4 5 6 Tervoort, Tom (September 2020). "Zerologon: Unauthenticated domain controller compromise by subverting Netlogon cryptography (CVE-2020-1472)" (PDF). Secura. Retrieved 13 December 2024.
  4. 1 2 3 4 5 6 7 8 Simakov, Marina; Zinar, Yaron (16 December 2020). "Zerologon (CVE-2020-1472): An Unauthenticated Privilege Escalation to Full Domain Privileges". Crowdstrike. Retrieved 13 December 2024.
  5. 1 2 3 Hvistendahl, Mara; Lee, Micah; Smith, Jordan (17 December 2020). "Russian Hackers Have Been Inside Austin City Network for Months". The Intercept. Archived from the original on 17 December 2020. Retrieved 18 December 2020.
  6. 1 2 "CISA orders agencies to quickly patch critical Netlogon bug". CyberScoop. 21 September 2020. Archived from the original on 30 October 2020. Retrieved 18 December 2020.
  7. Kumar, Vipan (6 March 2024). "What is Netlogon?". Windows Techno. Retrieved 16 December 2024.
  8. "How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472 - Microsoft Support". Microsoft. Retrieved 16 December 2024.
  9. Osborne, Charlie (18 November 2020). "Hacking group exploits ZeroLogon in automotive, industrial attack wave". ZDNet. Retrieved 13 January 2021.[ dead link ]
  10. "Microsoft: Attackers Exploiting 'ZeroLogon' Windows Flaw". Krebs on Security. 24 September 2020. Retrieved 13 January 2021.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.