Jump to content

Zerologon

Add links
From Wikipedia, the free encyclopedia

Zerologon
CVE identifier(s)CVE-2020-1472
Date discovered17 August 2020; 4 years ago (2020-08-17)
Date patched11 February 2021; 3 years ago (2021-02-11)
DiscovererTom Tervoort from Secura [1]
Affected softwareNetlogon Remote Protocol

Zerologon (formally: CVE-2020-1472) is a privilege elevation vulnerability in Microsoft's authentication protocol Netlogon Remote Protocol (MS-NRPC) , as implemented in the Windows Client Authentication Architecture and Samba.[2] The vulnerability was first reported to Microsoft by security researcher Tom Tervoort from Secura on 17 August 2020 and dubbed "Zerologon".[1][3] Zerologon was given a Common Vulnerability Scoring System v3.1 severity ranking of 10 by the U.S. American National Institute of Standards and Technology and a 5.5 by Microsoft. Crowdstrike classifies it as the most severe Active Directory vulnerability of 2020.[4]

The vulnerability allows from an unauthenticated user of the network to establish an unsafe conncetion to a Domain Controller (DC) and further impersonate the DC to elevate to domain admin priviledges.[4] It allows attackers to access all valid usernames and passwords in each Microsoft network that they breached.[5][6] This in turn allows them to access additional credentials necessary to assume the privileges of any legitimate user of the network, which in turn can let them compromise Microsoft 365 email accounts.[5][6]

Background

[edit]

The Netlogon Remote Protocol (MS-NRPC) is a Microsoft protocol used for authentication and secure communication between clients and DCs in a Windows network environment. It facilitates the exchange of authentication data and the establishment of secure channels for communication, enabling clients to authenticate against Active Directory and other network services. The protocol plays a key role in domain join operations, password changes, and other security-related tasks within a Windows domain.[7]

Behavior

[edit]

The original report by Secura explains the exploit in five steps.[4]

Bypassing the authentication

[edit]
The images shows AES-CFB8 performed on an 16-byte IV concatenated with an 8-byte client challenge using the shared key as the key, resulting in an 8-byte client credential vector.
AES-CFB8 performed on a 16-byte IV concatenated with an 8-byte client challenge using the shared key as the key, resulting in an 8-byte client credential vector.

The attack focuses on the DC of a network. MS-NRPC relies on a challenge–response authentication to generate a session key from the shared secret (such as a passphrase). To authenticate a client, the MS-NRPC client credentials are computed from the session key, an initialization vector (IV), and the client challenge using a less common Advanced Encryption Standard (AES) block cipher mode, namely 8-bit Cipher Feedback Mode (AES-CFB8) . This is, where the vulnerability lies. Due to the randomly chosen server secret, the computations of the session key yield in 1 out of 256 cases a session key that begins with a zero-byte. The session key is then used to encrypt the IV and the client challenge. Since the IV is all-zero by default, the client challange can be set to an all-zero vector as well and zero-byte beginning of the session key, AES-CFB8 results in an all-zero client credential. The server computed client credentials are then compared to the client sent credentials, which an attacker has also set to all-zero. The client is now authenticated.[4][3]

An image showing how AES-CFB8 performes on an all-zero 16-byte IV concatenated with an all-zero 8-byte nonce using the shared key as the key, resulting in an all-zero 8-byte Netlogon client credential.
AES-CFB8 performed on an all-zero 16-byte IV concatenated with an all-zero 8-byte nonce using the shared key as the key, resulting in an all-zero 8-byte Netlogon client credential.

Disabling signing and encryption

[edit]

To circumvent signing and encryption with the session key (which the attacker does not know) that is performed by MS-NRPC, an attacker can disable it by not setting a flag in the authentication RPC call.[4][3]

Spoofing RPC calls

[edit]

Another obstacle the attacker must overcome is the so-called authenticator value used by Netlogon, that is required for some calls. This value is computed from an incrementing value held by the client, the client credentials, and a timestamp. If the incrementing value is set to all-zero by the client and the timestamp is also set to all-zero when an RPC call is invoked, the server will set the authenticator to all-zero as well, allowing the attacker to carry out the call.[4][3]

Setting the password

[edit]

In the penultimate step, the password is set to an empty one, allowing the attacker to follow the normal protocol procedure from this point on.[4][3]

Elevating to domain admin

[edit]

It is possible for the attacker to impersonate not just any user on the domain, but the domain controller itself. Once logged in, the attacker can retrieve hashed credentials from the DC, enabling a Pass the hash attack and ultimately elevating to the domain administrator.[4][3]

Mitigation

[edit]

Microsoft addressed the Zerologon vulnerability through two security updates. A less strict one in August 2020 and a later one in February 2021 that enforces signing and encryption for MS-NRPC calls by default, with the ability to allow certain devices to handle legacy support.[8]

Response and impact

[edit]

In 2020, Zerologon started to be used by sophisticated cyberespionage campaigns of threat groups such as Red Apollo in global attacks against the automotive, engineering and pharmaceutical industry.[9] Zerologon was also used to hack the Municipal wireless network of Austin, Texas.[5]

Unusually, Zerologon was the subject of an emergency directive from the United States Cybersecurity and Infrastructure Security Agency.[10]

See also

[edit]

References

[edit]
  1. ^ a b "Netlogon Elevation of Privilege Vulnerability". Microsoft. Retrieved 13 December 2024.
  2. ^ "Zerologon: Samba Netlogon Elevation of Privilege Vulnerability (CVE-2020-1472)". RedHat. 25 September 2020. Retrieved 13 December 2024.
  3. ^ a b c d e f Tervoort, Tom (September 2020). "Zerologon: Unauthenticated domain controller compromise by subverting Netlogon cryptography (CVE-2020-1472)" (PDF). Secura. Retrieved 13 December 2024.
  4. ^ a b c d e f g h Simakov, Marina; Zinar, Yaron (16 December 2020). "Zerologon (CVE-2020-1472): An Unauthenticated Privilege Escalation to Full Domain Privileges". Crowdstrike. Retrieved 13 December 2024.
  5. ^ a b c Hvistendahl, Mara; Lee, Micah; Smith, Jordan (17 December 2020). "Russian Hackers Have Been Inside Austin City Network for Months". The Intercept. Archived from the original on 17 December 2020. Retrieved 18 December 2020.
  6. ^ a b "CISA orders agencies to quickly patch critical Netlogon bug". CyberScoop. 21 September 2020. Archived from the original on 30 October 2020. Retrieved 18 December 2020.
  7. ^ Kumar, Vipan (6 March 2024). "What is Netlogon?". Windows Techno. Retrieved 16 December 2024.
  8. ^ "How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472 - Microsoft Support". Microsoft. Retrieved 16 December 2024.
  9. ^ Osborne, Charlie (18 November 2020). "Hacking group exploits ZeroLogon in automotive, industrial attack wave". ZDNet. Retrieved 13 January 2021.[dead link]
  10. ^ "Microsoft: Attackers Exploiting 'ZeroLogon' Windows Flaw". Krebs on Security. 24 September 2020. Retrieved 13 January 2021.
Retrieved from "http://en.wiki.x.io/w/index.php?title=Zerologon&oldid=1264132369"