Microsoft last month fixed one of the most serious bugs ever reported to the company, an issue that could lead to Windows Server running as domain controllers on corporate networks.
The error was corrected on Patch Tuesday of August 2020 with ID CVE-2020-1472. Described as "privilege enhancement" on Netlogon (Netlogon is a Windows server process that identifies users and others services in a domain).
The vulnerability received a maximum severity score of 10, but the details were never made public, meaning users and IT admins they did not know how dangerous the problem was.
But in a blog post today, the team at Secura BV (Dutch security company) posted more details about this mysterious error with a technical report describing CVE-2020-1472 in greater depth.
And according to the report, the bug is really worthy of the severity of 10/10 CVSSv3.
According to Secura experts, the error, which they named Zerologon, exploits a patient cryptographic algorithm used in the Netlogon authentication process.
This error allows an attacker to manipulate Netlogon authentication processes and:
- impersonates any computer on a network when trying to authenticate against the domain controller
- Disables security features in the Netlogon authentication process
- changes the password of a computer in the Active Directory of the domain controller
The point, and the reason why the bug was named Zerologon, is that the attack is done by adding zero characters to some parameters of Netlogon authentication.
The attack is very fast and can last up to three seconds at most. In addition, there are no limits to how one intruder can use the Zerologon attack. For example, the attacker could also appear as the domain controller himself and change his password, allowing the attacker to take over the management of the entire corporate network.
However, when this condition is met, the game literally ends for the company.
"This attack has a huge impact," Secura said. "It basically allows any attacker on the local network to completely compromise the Windows domain."
In addition, this bug is also a gift for malware and ransomware gangs, which often rely on contamination of a computer within a company network to spread malware /ransomware and on other computers. With Zerologon, this process has been greatly simplified.