Thread Rating:
  • 1 Vote(s) - 5 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Avast_Security_News: A nasty Windows server domain bug: Patch now!
#1
Information 
Quote:
[Image: TVDumYE.png]

Zerologon takes taking advantage of the Netlogon Remote Protocol, used in the authentication process

A new vulnerability in Windows domain controllers has been discovered. In a published paper in September, researchers from Secura found a cryptographic flaw and called it Zerologon.

It takes advantage of the Netlogon Remote Protocol that is used in the authentication process. All that it takes to exploit this flaw – and compromise a wide variety of Active Directory identity services – is a TCP-level connection to the domain controller itself. Secura published a test tool on Github that can tell you whether a domain controller is vulnerable or not. 

The discovery led to a rare emergency directive issued by CISA – the U.S. Cybersecurity and Infrastructure Security Agency – to patch all federally-owned Windows Servers by September 21, 2020, and to report to CISA those servers that are still vulnerable. That didn’t leave a lot of time for the patches to be applied. 

Why the rush?

Mainly because the attacks using this flaw have already been observed, and some analysts have said this is the most dangerous Windows bug of the year. Microsoft reported seeing active threats on one of its Twitter accounts. Included in these tweets are three samples that Microsoft states were used in the attacks. These samples are .NET executables with the filename 'SharpZeroLogon.exe' and can be found on VirusTotal (see samples 1, 2, and 3). And one researcher posted a proof-of-concept demonstration video. “If affected domain controllers cannot be updated, ensure they are removed from the network,” the CISA directive stated.

Microsoft was alerted earlier and released a patch for the vulnerability (CVE-2020-1472) as part of its August 11, 2020, Patch Tuesday security updates. Even still, there is a big remaining issue, since Windows domains can receive logins from other operating systems and devices. That means that Microsoft still has some work to eliminate the potential vulnerability. Non-Microsoft devices may not support this patch and could still expose your domain for attacks, and that’s why Microsoft will enforce secure RPC usage for accounts on non-Windows devices in February 2021.

CSOonline has several other suggestions for IT administrators, including scripts that can be used to review portions of the relevant server event logs. In the meantime, don’t delay on your patching.  
...
Continue Reading
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:





[-]
Recent Posts
AWZ Screen Recorder
AWZ Screen Recorder ...zevish — 11:05
Website X5 Go 2024.1
Website X5 Go 2024.1...zevish — 09:32
Apple's rules to allow third-party app ...
Apple has announ...alison30 — 09:28
Intel: Microsoft AI PCs need a Copilot K...
Microsoft hopes th...harlan4096 — 08:55
Synchredible 8 Professional Edition v8.2...
          Synchredib...zevish — 08:54

[-]
Birthdays
Today's Birthdays
No birthdays today.
Upcoming Birthdays
No upcoming birthdays.

[-]
Online Staff
There are no staff members currently online.

>