Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable 部落格

訂閱

CVE-2020-1472:Netlogon Could 中的「Zerologon」弱點能讓攻擊者綁架 Windows 網域控制站

Security researchers reveal how the cryptographic authentication scheme in Netlogon can be exploited to take control of a Windows domain controller (DC).

Update: September 21, 2020: The ‘Identifying Affected Systems’ section has been updated to include instructions for our new unauthenticated check for Zerologon.

Update: October 02, 2020: The ‘Identifying Affected Systems’ section has been updated to highlight the release of the Zerologon scan template for Nessus and Tenable.io.

背景說明

On September 11, researchers at Secura published a blog post for a critical vulnerability they’ve dubbed “Zerologon.” The blog post contains a whitepaper explaining the full impact and execution of the vulnerability, identified as CVE-2020-1472, which received a CVSSv3 score of 10.0, the maximum score. Zerologon was patched by Microsoft in the August Patch Tuesday round of updates. This disclosure follows a previous Netlogon related vulnerability, CVE-2019-1424, which Secura detailed at the end of last year.

分析

CVE-2020-1472 is a privilege escalation vulnerability due to the insecure usage of AES-CFB8 encryption for Netlogon sessions. The AES-CFB8 standard requires that each byte of plaintext, like a password, must have a randomized initialization vector (IV) so that passwords can’t be guessed. The ComputeNetlogonCredential function in Netlogon sets the IV to a fixed 16 bits, which means an attacker could control the deciphered text. An attacker can exploit this flaw to impersonate the identity of any machine on a network when attempting to authenticate to the Domain Controller (DC). Further attacks are then possible, including the complete takeover of a Windows domain. Secura’s whitepaper also notes that an attacker would be able to simply run Impacket’s ‘secretsdump’ script to pull a list of user hashes from a target DC.

In order to exploit this vulnerability, the attacker would need to launch the attack from a machine on the same Local Area Network (LAN) as their target. A vulnerable client or DC exposed to the internet is not exploitable by itself. The attack requires that the spoofed login works like a normal domain login attempt. Active Directory (AD) would need to recognize the connecting client as being within its logical topology, which external addresses wouldn’t have.

CVE-2020-1472: Zerologon Vulnerability in Netlogon Could Allow Attackers to Hijack Windows Domain Controller

Image source: Secura CVE-2020-1472 Whitepaper

概念驗證

Several proofs of concept (PoCs) have been published to GitHub [1] [2] [3] [4] which demonstrates wide interest and experimentation across the security community. Researchers have been fast at work to confirm successful exploitation. Critical and high profile vulnerabilities tend to receive widespread interest from security researchers and attackers alike.

In a hypothetical attack, one could use this vulnerability to deploy ransomware throughout an organization and maintain a persistent presence if cleanup and restoration efforts miss any additional malicious scripts. Organizations with network-accessible backups could end up with a perfect storm if a ransomware group destroys backups to increase their likelihood of payout from the victim organization.

解決方法

Applying the August Patch Tuesday update from Microsoft's Advisory will fix the vulnerability by enforcing remote procedure call (RPC) in the Netlogon protocol for all Windows devices. Tenable strongly encourages users and admins alike to apply this patch as soon as possible.

Users should be aware that Microsoft notes a revision to this advisory will be coming on February 9, 2021, and that, once the enforcement phase begins, enforcement mode will be required for all non-Windows devices. Administrators can manually allow specific devices through group policy for legacy device needs.

找出受影響的系統

A list of Tenable plugins to identify this vulnerability can be found here. Tenable will also be releasing additional plugins for the February 9, 2021, update. A compliance audit file, available here, can be used to ensure that the FullSecureChannelProtection registry key value is set in group policy on the DC. The August 2020 fix should set this registry key after the patch has successfully been applied.

Tenable has also released Microsoft Netlogon Elevation of Privilege, an unauthenticated plugin for customers that would like to scan their DCs to test exploitability. This plugin attempts to authenticate to the target using an all zero client credential after providing an all zero client challenge. On vulnerable targets, this will succeed on average once every 256 attempts, and this plugin will attempt this up to 2000 times in order to verify if the target is affected. Due to the number of login attempts required to accurately verify exploitability of a target, Tenable does not recommend running this plugin alongside any other plugins in a scan, as it is intended for single-target Domain Controller scans. To enable the plugin, users must disable the 'Only use credentials provided by the user' setting under the Brute Force section in the Assessment options in their scan configuration.

Tenable.io and Nessus users will also be able to take advantage of the new scan template dedicated to targeting Zerologon. Plugin 140657 and its dependencies are automatically enabled within the template, and it also comes with the necessary brute force settings automatically configured.

取得更多資訊

加入 Tenable Community 的 Tenable 安全回應團隊

深入瞭解 Tenable,這是用於全面管理新型攻擊破綻的首創 Cyber Exposure 平台。

Get a free 30-day trial of Tenable.io Vulnerability Management.

相關文章

您是否容易受到最新攻擊程式危害?

輸入您的電子郵件地址,以便收到最新 cyber exposure 警示。

Tenable.io 免費試用 30 天

享受現代、雲端型的弱點管理平台,能夠以無與倫比的準確性查看和追蹤所有資產。 立即註冊。

Tenable.io 購買

享受現代、雲端型的弱點管理平台,使您能夠以無與倫比的準確性查看和追蹤所有資產。 立即訂閱一年。

65 項資產

選取您的訂閱選項:

立即購買

免費試用 Nessus Professional

免費試用 7 天

Nessus® 是現今市場上功能最全面的弱點掃描工具。Nessus Professional 能協助自動化弱點掃描程序、節省您達到合規性的時間並讓您的 IT 團隊合作。

購買 Nessus Professional

Nessus® 是現今市場上功能最全面的弱點掃描工具。Nessus Professional 能協助自動化弱點掃描程序、節省您達到合規性的時間並讓您的 IT 團隊合作。

購買多年期授權,節省更多。新增 365 天全年無休 24 小時全天候可使用電話、社群及對談的進階支援。

選擇您的授權

購買多年期授權,節省更多。

增加支援與訓練

試用 Tenable.io Web Application Scanning

免費試用 30 天

享受我們專為現代應用程式而設計,屬於 Tenable.io 平台一部分的最新 Web 應用程式掃描產品的所有功能。不需耗費大量人力或中斷重要 Web 應用程式,即可高度準確且安全地掃描您整個線上產品系列中是否含有任何弱點。 立即註冊。

購買 Tenable.io Web Application Scanning

享受現代、雲端型的弱點管理平台,使您能夠以無與倫比的準確性查看和追蹤所有資產。 立即訂閱一年。

5 個 FQDN

$3,578

立即購買

試用 Tenable.io Container Security

免費試用 30 天

享受整合至弱點管理平台中的唯一容器安全產品的完整功能。監控容器映像中是否有弱點、惡意軟體及政策違規的情形。與持續整合和持續部署 (CI/CD) 系統整合,以支援 DevOps 作法、加強安全性並支援企業政策合規性。

購買 Tenable.io Container Security

Tenable.io Container Security 整合了建置程序,能提供包含弱點、惡意軟體和政策違規等容器影像安全性的能見度,讓您無縫並安全地啟用 DevOps 流程。

試用 Tenable Lumin

免費試用 30 天

透過 Tenable Lumin,能夠以視覺方式呈現 Cyber Exposure 並加以探索,長期追蹤風險降低狀況,以及對照同業進行指標分析。

購買 Tenable Lumin

聯絡業務代表,瞭解 Lumin 如何協助您獲得整個企業的深入洞見,並管理網路風險。