Zerologon (CVE-2020-1472) is a vulnerability in the cryptography of Microsoft’s Netlogon process. It is rated 10 out of 10 for severity, and there are already known proof of concept exploits and real attacks leveraging it.
Zerologon earned its name due to the flaw in the logon process. In this flaw, the initialization vector (IV) is set to zeros, while it should be always set to a random number. This allows the attacker to impersonate any computer, including the root domain controller, and to attack Microsoft Active Directory (AD) domain controllers.
Microsoft released two patches in August 2020, unfortunately, they do not provide a universal fix for this problem. A second phase patch will not be released until February 2021. This, of course, highly motivates attack groups to take advantage of the situation and use this critical flaw against organizations.
In fact, it has already been recognized that the Ryuk threat actors leveraged this vulnerability. It allowed them to move from initial phish to full domain-wide encryption in only five hours. Researchers already noticing a spike in exploitation attempts against Zerologon, targeting election support systems, and some of the origin in US hostile countries such as Iran.
This post will demonstrate 4 actions you should take to mitigate Zerologon vulnerability:
1. Patch your system with the patch published on August 11, 2020:
The patch will perform the following:
a. Enforces secure RPC usage for machine accounts on Windows-based devices.
b. Enforces secure RPC usage for trust accounts.
c. Enforces secure RPC usage for all Windows and non-Windows DCs.
d. Includes a new group policy to allow non-compliant device accounts (those that use vulnerable Netlogon secure channel connections). Even when DCs are running in enforcement mode or after the Enforcement phase starts, allowed devices will not be refused connection.
e. FullSecureChannelProtection registry key to enable DC enforcement mode for all machine accounts (enforcement phase will update DCs to DC enforcement mode).
f. Includes new events when accounts are denied or would be denied in the DC enforcement mode (and will continue in the Enforcement phase).
But as noted earlier, this patch provides only a partial solution. The DC will be properly secured only after an update, future to be published only in February 2021, will be released. In this update, the DC will be locked for SMB/Anonymous users.
Until then, organizations should take into considerations that Anonymous logon will be blocked with Winlogon. As a result, they'll be able to monitor Anonymous usage in Netlogon.
2. In order to secure your DC until Feb 2021, you should perform the following:
Identify Anonymous usage in the DC by logging events 4624, 4768, 5829, 5827. In case you do need to use it, you should:
a. exclude the item by creating a Security Group that includes the monitored items that are using Anonymous.
b. Configure the following: Computer Configuration > Windows Setting > Security Settings > Local Policy > Security Options> Domain controller: Allow vulnerable Netlogon secure channel connections
c. Set your Security Group to Allow.
d. Replicate this value in all DCs.
3. After installing the patch, you must harden the key
in the following registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\FullSecureChannelProtection
Setting it to Enabled (1). This will mitigate the vulnerability also in third-party (non-Windows) applications.
4. When there is no Anonymous activity required in the DC, it is recommended to restrict user rights and security settings.
There are many hardening recommendations that without implementing them your AD will never be secured. Making sure your AD is properly hardened while not interrupting your production can be complicated and time-consuming. CalCom Hardening Solution will provide you a full hardening solution to your network, including your Active Directory.