The U.S. Department of Homeland Security has issued a statement regarding a serious security vulnerability that extends from Windows Server 2008 R2 to Windows 10 based servers. The risk of this vulnerability is categorized as ‘Critical’ or the maximum rating given is ‘10.0’ with a severity level of 10.0 and such a warning is issued only in the most extreme cases.
They point out that this is due to a vulnerability called Zerologon, which makes it very easy for a hacker to become the domain admin of the relevant server. And hackers have the ability to take full control of any vulnerable Windows server in as little as 3 seconds.
Last year, Secura (the security firm that found the flaw) had found a less serious Netlogon vulnerability that allowed workstations to be taken over, but for that to work, the attacker needed a Person-in-the-Middle (PitM) role.
Now, they have found this much more extreme (CVSS score: 10.0) flaw. Secura was able to call a function to set the domain controller’s machine password to a known value by forging an authentication token for the unique Netlogon features. The intruder can then use this new password to take control of the domain controller and steal the domain administrator ‘s credentials.
“The vulnerability stems from a flaw in a cryptographic authentication scheme used by the Netlogon Remote Protocol, which among other things can be used to update computer passwords. This flaw allows attackers to impersonate any computer, including the domain controller itself, and execute remote procedure calls on their behalf.” — Secura.
A late Friday warning was released by the Cybersecurity and Infrastructure Security Agency, better known as CISA, requiring all federal departments and agencies to “immediately” patch any Windows servers susceptible to the so-called Zerologon attack, citing a “unacceptable risk” to government networks. The announcement stated that Windows servers and Active Directories in all U.S. government agencies must be patchy they expire on September 21st.
The Department of Homeland Security has also asked other agencies to install security patches to protect themselves from serious hacker attacks, which they point out could be used to steal information and spread malware.
Researchers have allegedly published proof-of -concept code, possibly enabling attackers to use the code to launch attacks. CISA said that it “assumes active exploitation of this vulnerability is occurring in the wild.”
Microsoft has already released the security patches required to patch this, and if your or your organization’s Windows Server 2008 R2 or later uses the Windows Server operating system, please update them as soon as possible.