New Windows exploit lets you instantly become admin. Have you patched?

Discussion in 'Headline News' started by RickAgresta, Sep 15, 2020.

  1. RickAgresta

    RickAgresta Peanut, leader of the Peanutty Forces

    Messages:
    21,509
    Likes Received:
    18,208
    Trophy Points:
    288
    Zerologon lets anyone with a network toehold obtain domain-controller password.

    Researchers have developed and published a proof-of-concept exploit for a recently patched Windows vulnerability that can allow access to an organization’s crown jewels—the Active Directory domain controllers that act as an all-powerful gatekeeper for all machines connected to a network.

    CVE-2020-1472, as the vulnerability is tracked, carries a critical severity rating from Microsoft as well as a maximum of 10 under the Common Vulnerability Scoring System. Exploits require that an attacker already have a foothold inside a targeted network, either as an unprivileged insider or through the compromise of a connected device.

    An “insane” bug with “huge impact”
    Such post-compromise exploits have become increasingly valuable to attackers pushing ransomware or espionage spyware. Tricking employees to click on malicious links and attachments in email is relatively easy. Using those compromised computers to pivot to more valuable resources can be much harder.

    It can sometimes take weeks or months to escalate low-level privileges to those needed to install malware or execute commands. Enter Zerologon, an exploit developed by researchers from security firm Secura. It allows attackers to instantly gain control of the Active Directory. From there, they will have free rein to do just about anything they want, from adding new computers to the network to infecting each one with malware of their choice.

    “This attack has a huge impact,” researchers with Secura wrote in a white paper published on Friday. “It basically allows any attacker on the local network (such as a malicious insider or someone who simply plugged in a device to an on-premise network port) to completely compromise the Windows domain. The attack is completely unauthenticated: the attacker does not need any user credentials.”

    The Secura researchers who discovered the vulnerability and reported it to Microsoft said they developed an exploit that works reliably, but given the risk, they aren’t releasing it until they’re confident Microsoft’s patch has been widely installed on vulnerable servers. The researchers, however, warned that it’s not hard to use Microsoft’s patch to work backwards and develop an exploit. Meanwhile, separate researchers from other security firms have published their own proofs-of-concept attack code here, here, and here.

    The release and description of exploit code quickly caught the attention of the US Cybersecurity and Infrastructure Security Agency, which works to improve cybersecurity across all levels of government. Twitter on Monday was also blowing up with comments remarking on the threat posed by the vulnerability.

    “Zerologon (CVE-2020-1472), the most insane vulnerability ever!” one Windows user wrote. “Domain Admin privileges immediately from unauthenticated network access to DC.”

    “Remember something about least privileged access and that it doesn’t matter if few boxes gets pwned?” Zuk Avraham, a researcher who is founder and CEO of security firm ZecOps, wrote. “Oh well... CVE-2020-1472 / #Zerologon is basically going to change your mind.”
     
    scjjtt, lelisa13p and jigwashere like this.
  2. RickAgresta

    RickAgresta Peanut, leader of the Peanutty Forces

    Messages:
    21,509
    Likes Received:
    18,208
    Trophy Points:
    288
    lelisa13p and scjjtt like this.
  3. Hook

    Hook Professional Daydreamer

    Messages:
    19,757
    Likes Received:
    11,422
    Trophy Points:
    288
    Am I correct that this is a Windows Server concern? That is, it is of very serious concern to corporate and government setups, but is in fact of little concern to the home user? That seems to be the implication, although they are never clear.
     
    lelisa13p, scjjtt and RickAgresta like this.
  4. headcronie

    headcronie Greyscale. Nuff Said. Super Moderator

    Messages:
    14,290
    Likes Received:
    5,324
    Trophy Points:
    113
    This impacts Windows Server OS. If you don't have that, you're in the clear.

    *hc trudges off to patch and repatch his fleet*
     
Loading...

Share This Page