Zerologon is the latest critical vulnerability detected in the Windows Server OS affecting all versions from 2008 up to the latest available from Microsoft. This vulnerability has a severity rating of 10.0, and there are already PoCs that can easily exploit the flaw.

Get all the information you need about recent critical and serious vulnerabilities for which exploits are available on the Panda Security website and ensure your security and that of your customers with the solution that best adapts to your needs.

How does Zerologon operate?

The Netlogon Remote Protocol is a mechanism used by the client authentication architecture in Windows Server. Its role is to verify session logins and register, authenticate, and locate domain controllers. As such, it ensures a secure channel through encryption between the client and the server acting as a domain controller and enables users to log in to servers.

Now, due to the incorrect implementation of AES-CFB8 in the Netlogon protocol, an adversary could set a new password without any other requirements, taking complete control of the DC and gaining administrator level credentials. The flaw is in the initial authentication protocol, as authentication is generally by-passed, so an adversary would only have to establish a TCP connection with a vulnerable domain controller. Simply being within the local network would be sufficient to exploit this flaw, as no domain credentials are required.

Also, as we have mentioned, a proof of concept (PoC) for exploiting this vulnerability already exists, and which checks whether or not a system is patched to prevent the vulnerability. On the CVSSv3 scale, this vulnerability has the maximum 10.0 rating, as all that is required is «visibility» of the domain controller, and therefore just being on the network is sufficient.

Reducing the window of opportunity

Microsoft published a patch to fix Zerologon along with a series of changes to the Netlogon secure connection channel which administrators should apply. As with all vulnerabilities, it is critical that IT or cybersecurity managers deploy patches and updates as soon as possible to reduce the ‘window of opportunity’ exploited by cyberattackers, that is, the time before an update is pushed out to prevent the vulnerability from being exploited. Microsoft has also published a tutorial to help system administrators patch and correctly configure systems.

Organizations can simply not afford to drop their guard against these threats. They should in fact be reinforcing the defenses against those vulnerabilities that have been exploited for some time now. One such example is a denial of service (DoS) vulnerability dating back six years that affected WordPress and Drupal and which was discussed in the latest WatchGuard cybersecurity report as one of the top ten network attacks in the second quarter of this year.

Knowing about the problems you face is useful, though it is not enough. To ensure your cybersecurity posture is fit for purpose, you must be sure that systems are up-to-date and that the relevant patches have been applied. To help prioritize, manage, and deploy patches, Panda provides Panda Patch Management. This module of Panda Adaptive Defense, which requires no additional deployments by customers, not only manages operating system patches and updates, but also those of third-party applications.

There is also key information available on these security issues at the critical vulnerability portal created by Panda.