Zerologon explained: Why you should patch this critical Windows Server flaw now

On Friday, September 18, the US Cybersecurity and Infrastructure Security Agency (CISA) ordered all federal agencies to patch a critical privilege escalation flaw that affects Windows servers and could allow hackers to take over Windows networks. A patch has existed for the vulnerability — dubbed Zerologon — since August, but recently released technical details allowed hackers to create easy-to-use exploits. If your organization hasn’t patched this flaw yet because Microsoft’s original patch notes said exploitation was “less likely,” you should do so immediately.

What is Zerologon?

Zerologon, tracked as CVE-2020-1472, is an authentication bypass vulnerability in the Netlogon Remote Protocol (MS-NRPC), a remote procedure call (RPC) interface that Windows uses to authenticate users and computers on domain-based networks. It was designed for specific tasks such as maintaining relationships between members of domains and the domain controller (DC), or between multiple domain controllers across one or multiple domains and replicating the domain controller database.

One of Netlogon’s features is that it allows computers to authenticate to the domain controller and update their password in the Active Directory, and it’s this particular feature that makes the Zerologon flaw dangerous. In particular, the vulnerability allows an attacker to impersonate any computer to the domain controller and change their password, including the password of the domain controller itself. This results in the attacker gaining administrative access and taking full control of the domain controller and therefore the network.

Zerologon is a privilege escalation vulnerability and is rated as critical by Microsoft even though the company said in the original advisory that exploitation was less likely. It is not a vulnerability that allows attackers to break into Windows networks, but it is highly valuable as a second-stage exploit for lateral movement.

A crypto implementation mistake 

Researchers from Dutch security firm Secura, who found this vulnerability, released a whitepaper last week that explains in detail why the flaw exists and how it works. MS-NRPC’s handshake and authentication involves the use of AES-CFB8 (8-bit cipher feedback) mode. This is a more obscure variant of the AES block cipher that is designed to work with blocks of 8 bytes of input instead of the regular 16 bytes (128-bit).

“In order to be able to encrypt the initial bytes of a message, an Initialisation Vector (IV) must be specified to bootstrap the encryption process,” Secura researcher Tom Tervoort said in the whitepaper. “This IV value must be unique and randomly generated for each separate plaintext that is encrypted with the same key. The ComputeNetlogonCredential function [of the MS-NRPC protocol], however, defines that this IV is fixed and should always consist of 16 zero bytes. This violates the requirements for using AES-CFB8 securely: Its security properties only hold when IVs are random.”

Tervoort figured out that because of this implementation error for 1 in 256 keys, applying AES-CFB8 encryption to an all-zero plaintext will result in all-zero ciphertext. In the context of MS-NRPC, the attacker impersonating a client can send a challenge during the handshake made up of 8-bytes of zeros and keep retrying for 256 times until the server will accept it, bypassing authentication. This is a simplification of the whole process, which is detailed in the whitepaper, because the goal of a handshake in a key exchange protocol is to establish a shared secret between two parties that is used to secure the connection without actually exposing passwords or secret keys before the communication channel is secure.

Bypassing authentication in this case means the attacker can trick a domain controller to believe it’s communicating with a certain authenticated user without actually knowing the real password of that user. This is just the first step in the exploit chain. Another step is to disable signing and sealing — encryption for the communication channel — which is optional and can be controlled by the client as the server will not refuse clients that don’t request encryption.

Finally, attackers can request a password change for the user they impersonate, but this will only change the password in the Active Directory, not the password stored locally in the registry of that computer. Impersonating the domain controller itself and changing its AD password will cause a mismatch with the local password and the DC can stop responding or start behaving in unpredictable ways.

To complete the attack and obtain domain admin access, additional steps are required. The attacker can use their MS-NRPC authenticated access to run a tool that dumps the locally stored password hashes and then executes a pass-the-hash attack to authenticate as domain administrator and change the DC’s computer password stored in the local registry.

“Implementing cryptographic protocols is tricky: One small oversight can lead to all kinds of methods to bypass the intended function of the scheme (in this case: computer authentication and transport security),” Tervoort concluded.

The Zerologon patch

Microsoft rolled out a patch in August, but said at the time that it was only the first part of a phased rollout that is expected to be completed during the first quarter of 2021. The reason for this is that the flaw is at the protocol level and changing the way a protocol works can create major disruptions on networks if not all servers and clients are updated to be aware of the changes.

The patches are only available for versions of Windows Server that are still supported and receive security updates, but in practice, many networks have legacy Windows devices or non-Windows devices that communicate with domain controllers using the protocol.

“The updates will enable the Domain Controllers (DCs) to protect Windows devices by default, log events for non-compliant device discovery, and have the option to enable protection for all domain-joined devices with explicit exceptions,” Microsoft said in its advisory. “The second phase, planned for a Q1 2021 release, marks the transition into the enforcement phase. The DCs will be placed in enforcement mode, which requires all Windows and non-Windows devices to use secure remote procedure call (RPC) with Netlogon secure channel or to explicitly allow the account by adding an exception for any non-compliant device.”

Even though secure channel will not be enforced by default until next year, Tervoort confirmed that the patch also blocks step 1 of his attack, which involves sending zeroes as the handshake challenge. Microsoft’s protocol specification has also been updated to read: “If none of the first 5 bytes of the client challenge is unique, the server must fail session-key negotiation without further processing of the following steps.”

The attack as it is now will be blocked just with the August patches, but mechanisms are in place to allow non-compliant clients that don’t yet support channel encryption to keep communicating with domain controllers in order to avoid disruptions.

Researchers from 0patch, a company that develops in-memory micropatches for binary files, have also reverse-engineered Microsoft’s fix and created their own that can be applied to Windows Server 2008 R2 without Extended Security Updates. Standard support for Windows Server 2008 and 2008 R2 ended in January. However, the micropatch developed by 0patch can only be applied through their software agent by paying customers.

The DHS emergency directive

The Department of Homeland Security, through CISA, issued emergency directives to federal agencies ordering them to take certain actions in response to high-risk information security threats, but this is not a frequently used mechanism. Since 2016, the agency has issued only 13 such directives; four of them were issued this year.

Emergency Directive 20-04 was issued on September 18 after Secura published its whitepaper and hackers created proof-of-concept exploits, which significantly increased the risk of Zerologon being exploited in the wild. It said, in part:

CISA has determined that this vulnerability poses an unacceptable risk to the Federal Civilian Executive Branch and requires an immediate and emergency action. This determination is based on the following:

• the availability of the exploit code in the wild increasing likelihood of any upatched domain controller being exploited;
• the widespread presence of the affected domain controllers across the federal enterprise;
• the high potential for a compromise of agency information systems;
• the grave impact of a successful compromise; and
• the continued presence of the vulnerability more than 30 days since the update was released.