ZeroLogon, the vulnerability found by Secura ( A Dutch Security company ), has been given the CVE number 2020-1472. This vulnerability, when executed correctly, will allow an unauthenticated remote user to take control of the domain controller and leverage admin privileges.
Background of ZeroLogon
Secura’s security expert Tom Tervoort previously discovered a less severe Netlogon vulnerability last year that allowed workstations to be taken over, but the attacker required a Person-in-the-Middle (PitM) position for that to work. Now, he discovered this second, much more severe (CVSS score: 10.0) vulnerability in the protocol.
By forging an authentication token for specific Netlogon functionality, he was able to call a function to set the computer password of the Domain Controller to a known value. After that, the attacker can use this new password to take control over the domain controller and steal credentials of a domain admin.
According to Secura, the flaw lies in the cryptographic authentication scheme of the Netlogon Remote Protocol.
The vulnerability stems from a flaw in a cryptographic authentication scheme used by the Netlogon Remote Protocol, which among other things can be used to update computer passwords. This flaw allows attackers to impersonate any computer, including the domain controller itself, and execute remote procedure calls on their behalf.Secura
As you can imagine, this news unleashed security professionals worldwide to create tools which would allow them to perform the ZeroLogon attack. Secura did release a test script, but it was just shortly after, that the first ZeroLogon exploit was made public.
Secura published their whitepaper on Zerologon (CVE-2020-1472).
ZeroLogon github projects
There are various projects on Github which focus on CVE-2020-1472, we have listed down some of them.
Security professionals do expect that the vulnerability will be exploited in the near future, for example to spread ransomware. In order to perform the attack, an attacker must have access to an organization’s local network, but this does not always turn out to be a problem in practice, as several ransomware attacks in the past have shown.