Geeks for your information Security Security Vendors Avast Avast Blog News and Info v
Avast_Security_News: A nasty Windows server domain bug: Patch now!
Thread Rating:
  • 1 Vote(s) - 5 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Avast_Security_News: A nasty Windows server domain bug: Patch now!
harlan4096 Online
MalWare Zoo Team
*******
Posts: 12,793
Threads: 8,839
Thanks Received: 8,732 in 6,893 posts
Thanks Given: 9,633
Joined: 12 September 18
#1
Information  01 October 20, 10:46
Quote:
[Image: TVDumYE.png]

Zerologon takes taking advantage of the Netlogon Remote Protocol, used in the authentication process

A new vulnerability in Windows domain controllers has been discovered. In a published paper in September, researchers from Secura found a cryptographic flaw and called it Zerologon.

It takes advantage of the Netlogon Remote Protocol that is used in the authentication process. All that it takes to exploit this flaw – and compromise a wide variety of Active Directory identity services – is a TCP-level connection to the domain controller itself. Secura published a test tool on Github that can tell you whether a domain controller is vulnerable or not. 

The discovery led to a rare emergency directive issued by CISA – the U.S. Cybersecurity and Infrastructure Security Agency – to patch all federally-owned Windows Servers by September 21, 2020, and to report to CISA those servers that are still vulnerable. That didn’t leave a lot of time for the patches to be applied. 

Why the rush?

Mainly because the attacks using this flaw have already been observed, and some analysts have said this is the most dangerous Windows bug of the year. Microsoft reported seeing active threats on one of its Twitter accounts. Included in these tweets are three samples that Microsoft states were used in the attacks. These samples are .NET executables with the filename 'SharpZeroLogon.exe' and can be found on VirusTotal (see samples 1, 2, and 3). And one researcher posted a proof-of-concept demonstration video. “If affected domain controllers cannot be updated, ensure they are removed from the network,” the CISA directive stated.

Microsoft was alerted earlier and released a patch for the vulnerability (CVE-2020-1472) as part of its August 11, 2020, Patch Tuesday security updates. Even still, there is a big remaining issue, since Windows domains can receive logins from other operating systems and devices. That means that Microsoft still has some work to eliminate the potential vulnerability. Non-Microsoft devices may not support this patch and could still expose your domain for attacks, and that’s why Microsoft will enforce secure RPC usage for accounts on non-Windows devices in February 2021.

CSOonline has several other suggestions for IT administrators, including scripts that can be used to review portions of the relevant server event logs. In the meantime, don’t delay on your patching.  
...
Continue Reading
Find
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:

[-]
Recent Posts
Music Videos
Billy Joel - The Riv...jAcos — 17:24
Movies! Movies!
Beverly Hills Cop: A...jAcos — 17:22
TV Series
Matlock Kathy Bat...jAcos — 17:16
F-Secure 19.4
What's new in the ...harlan4096 — 09:44
Thunderbird Supernova 115.10.1
Thunderbird Supern...harlan4096 — 09:41

[-]
Birthdays
Today's Birthdays
avatar (36)RobertUtelt
Upcoming Birthdays
avatar (43)wapedDow
avatar (42)techlignub
avatar (41)Stevenmam
avatar (48)onlinbah
avatar (49)steakelask
avatar (43)Termoplenka
avatar (41)bycoPaist
avatar (47)pieloKat
avatar (41)ilyagNeexy
avatar (49)donitascene
avatar (49)Toligo

[-]
Online Staff
There are no staff members currently online.

>