If you have the Windows Server system in your organization, you should update it as soon as possible with the latest patches from Microsoft. A critical vulnerability has been discovered in this Windows Server operating system from version 2008 to the latest available versions, that is, it affects each and every Microsoft version. This vulnerability has a criticality of 10.0, in addition, there are already PoCs that allow this vulnerability to be exploited easily.
Versions of Microsoft Windows Server affected by Zerologon
The vulnerability called Zerologon was fixed by Microsoft in its security bulletin last August, but it is now that it has been made public to give sysadmins reasonable time to install these patches and verify that everything works correctly. Microsoft released a security advisory on August 11, 2020 confirming the vulnerability discovered in all versions of Windows:
- Windows Server 2008 R2 for x64-based Systems Service Pack 1
- Windows Server 2012
- Windows Server 2012 (Server Core installation)
- Windows Server 2012 R2
- Windows Server 2012 R2 (Server Core installation)
- Windows Server 2016
- Windows Server 2016 (Server Core installation)
- Windows Server 2019
- Windows Server 2019 (Server Core installation)
- Windows Server, version 1903 (Server Core installation)
- Windows Server, version 1909 (Server Core installation)
- Windows Server, version 2004 (Server Core installation)
What is this critical vulnerability?
This vulnerability, classified as critical 10/10, directly affects domain controllers (DC) in active directories (AD). Due to a bug in the improper implementation of AES-CFB8 in the Netlogon protocol, an attacker could set a new password without further requirements, all in order to take complete control of the DC and gain the administrator user credentials. The flaw is located in the initial authentication handshake, since authentication is generally bypassed, therefore, an attacker only has to establish a TCP connection with a vulnerable domain controller, simply by being within the local network it would be enough to exploit this flaw, as it does not require any type of domain credential.
Due to this bug in the AES implementation, you can get full control of the DC, and set an empty password on the domain. Due to the lack of authentication when exploiting this security flaw, this vulnerability has been called “Zerologon”.
The group of security researchers have published a proof of concept (PoC) where you can exploit this vulnerability, and check if an operating system is patched against this security flaw, or not yet. According to the CVSSv3 scale, this security flaw has a maximum criticality of 10.0, since we simply need to have “visibility” of the domain controller, therefore, being within the network is sufficient.
How can I fix this vulnerability on my Windows Server?
To solve this vulnerability you must update all the AD (Active Directory) domain controllers of your organization, then you can visit the direct link to the Zerologon patch provided by Microsoft itself, where it is indicated that the vulnerability is critical and that it is recommended to install it as soon as possible. It is essential to patch the operating systems as soon as possible to avoid the exploitation of this vulnerability by malicious users, in addition, Microsoft has published a tutorial to help sysadmin update their systems and configure the system correctly .
We recommend that you access the PDF paper on the Zerologon vulnerability where you will find in detail how this serious security flaw works.