UPDATE
The “perfect” Windows vulnerability known as the Zerologon bug is getting a patch assist from two non-Microsoft sources, as they strive to fill in the gaps that the official fix doesn’t address.
They roll out as Microsoft announced that it is tracking active exploitation in the wild. “We have observed attacks where public exploits have been incorporated into attacker playbooks,” the firm tweeted on Wednesday.
Both Samba and 0patch have issued fixes for CVE-2020-1472, an privilege-escalation bug which, as previously reported, stems from the Netlogon Remote Protocol, available on Windows domain controllers, which is used for various tasks related to user- and machine-authentication.
Exploiting the bug allows an unauthenticated attacker with network access to a domain controller to completely compromise all Active Directory identity services, according to Microsoft. A proof-of-concept exploit was just released for the issue, which is a critical flaw rating 10 out of 10 on the CvSS severity scale.
“This attack has a huge impact: It basically allows any attacker on the local network (such as a malicious insider or someone who simply plugged in a device to an on-premise network port) to completely compromise the Windows domain,” said researchers with Secura, in a whitepaper published earlier this month.
Microsoft did issue a patch for the flaw in August, during its regularly scheduled Patch Tuesday updates. However, not all systems are compatible with the fix, according to Mitja Kolsec, CEO and co-founder at 0patch, which issued a “micropatch” of its own for the bug.
“Our micropatch was made for Windows Server 2008 R2, which reached end-of-support this January and stopped receiving Windows updates,” Kolsec told Threatpost. “Many organizations are still using this server and the only way for it to get extended security updates from Microsoft was to move it to Azure (cloud) — which is an unacceptable option for most organizations.”
The micropatch is logically identical to Microsoft’s fix, he explained in a recent blog post: “We injected it in function NetrServerAuthenticate3 in roughly the same place where Microsoft added the call to NlIsChallengeCredentialPairVulnerable, but since the latter doesn’t exist in old versions of netlogon.dll, we had to implement its logic in our patch.”
0patch is also porting the micropatch to various still-supported Windows Servers for customers who for various reasons can’t apply the Microsoft patch, he added.
Meanwhile, it turns out that Samba, a file-sharing utility for swapping materials between Linux and Windows systems, also relies on the Netlogon protocol, and thus suffers from the vulnerability.
The bug exists when Samba is used as domain controller only (most seriously the Active Directory DC, but also the classic/NT4-style DC), it said in an advisory this week. It added, “installations running Samba as a file server only are not directly affected by this flaw, though they may need configuration changes to continue to talk to domain controllers.”
The company noted that versions 4.8 and above of Samba are not vulnerable unless they have the smb.conf lines ‘server schannel = no’ or ‘server schannel = auto’. Samba versions 4.7 and below are vulnerable unless they have ‘server schannel = yes’ in the smb.conf.
Last Friday, the U.S. Cybersecurity and Infrastructure Security Agency issued an emergency directive for federal agencies to patch against the bug. Federal agencies that haven’t patched their Windows Servers against the Zerologon vulnerability by Monday Sept. 21 at 11:59 pm EDT are in violation. And in light of the active, in-the-wild exploitation flagged by Microsoft, patching should be at the top of the to-do list for all organizations.
Microsoft is actively tracking threat actor activity using exploits for the CVE-2020-1472 Netlogon EoP vulnerability, dubbed Zerologon. We have observed attacks where public exploits have been incorporated into attacker playbooks.
— Microsoft Threat Intelligence (@MsftSecIntel) September 24, 2020
This story was updated at 11 a.m. ET on Sept. 23 to include information on active exploitation.