US CISA: Agencies Must Patch Zerologon Bug by Monday
The US Department of Homeland Security (DHS) has issued an emergency directive designed to force all civilian government agencies to patch a high-risk Windows vulnerability.
CVE-2020-1472 is a critical elevation of privilege bug which exists when an attacker uses the Netlogon Remote Protocol to establish a vulnerable secure channel connection to a domain controller, according to Microsoft. It affects Windows Server 2008 onwards.
Dubbed “Zerologon,” the flaw was fixed in the August Patch Tuesday, although proof-of-concept exploits started to appear over the past week.
As such, it now poses an “unacceptable risk” to the federal civilian executive branch that requires “immediate and urgent action,” the Cybersecurity and Infrastructure Security Agency (CISA) said on Friday.
“The vulnerability in Microsoft Windows Netlogon Remote Protocol (MS-NRPC), a core authentication component of Active Directory, could allow an unauthenticated attacker with network access to a domain controller to completely compromise all Active Directory identity services,” it explained.
“Applying the update released on August 11 to domain controllers is currently the only mitigation to this vulnerability (aside from removing affected domain controllers from the network).”
The resulting emergency directive 20-04 requires all civilian government agencies to patch all Windows Servers with a domain controller role by 23.59 EDT this evening, or remove them from the network.
ExtraHop CISO, Jeff Costlow, argued that the Zerologon bug is easy for attackers to exploit
“The first PoC’s have shown that unauthenticated attackers are able to obtain full administrator privileges on Active Directory systems,” he added.
“Any organizations without the ability to detect exploit attempts will remain at high risk if they delayed the patch as there is no way to know if they were exposed in between the time of reporting and the system update. We urge organizations to patch immediately and be aware that their system might have already been compromised.”