Saturday, February 8, 2025
HomeComputer SecurityBeware of the New Critical Zerologon Vulnerability in The Windows Server

Beware of the New Critical Zerologon Vulnerability in The Windows Server

Published on

SIEM as a Service

Follow Us on Google News

Microsoft Patchs the new critical vulnerability in Zerologon, A feature of Netlogon allows the domain controller to authenticate computers and update passwords in the Active Directory.

“The elevation of privilege vulnerability for Zerologon, or CVE-2020-147, exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). “

“An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network. Microsoft is addressing the vulnerability in a phased two-part rollout. These updates address the vulnerability by modifying how Netlogon handles the usage of Netlogon secure channels.” Microsoft’s Security Update stated.

This feature is particularly vulnerable to this flaw because it allows hackers to impersonate any computer in the company’s network and change the password, even if you have two fac tor authentication.

Through doing this, the hackers are able to change the domain controller’s password, gaining administrative access, and taking control of the network.

The Zerologon Patch

When this flaw was discovered by Secura researchers. Microsoft immediately rolled out a patch as Part I of their phased rollout. This phased rollout is scheduled to be completed during the first few months of 2021.

Microsoft has chosen to release the patch updates in a phased rollout, as changing protocols can result in major disruptions on networks and servers that aren’t updated.

The versions of Windows Server that the patches are available for are ones that still receive security updates from Microsoft. However, the temporary issue arises that many networks use non-Windows devices or have legacy Windows devices that use the protocol to communicate with domain controllers.

The Zerologon patch released in August is currently blocking any attacks, and protocols are in place that non-compliant clients can continue to communicate with domain controllers, avoiding disruptions.

The DHS Emergency Directive

The Department of Homeland Security has issued, on September 14, 2020, emergency directives for any federal agencies using the Windows Server to perform patching actions as a response to the high-risk information security threats. 

The Cybersecurity and Infrastructure Security Agency sent this warning to prevent a compromise of agency information systems. Any servers that were unable to update their domain controllers by the deadline on September 21, 2020, were directed to unplug from the networks.

Protecting Your Organization

The first thing you should do is work with your IT department to ensure the patch from Microsoft is implemented on your network immediately if it hasn’t been done so already. August’s patch from Microsoft added five Event IDs for vulnerable Netlogon connections. When a secure channel connection during the initial deployment phase is allowed, event ID 5829 is generated.

To detect the Zerologon vulnerability, look for Event ID 4742, specifically “ANONYMOUS LOGON” users, and check the Password Last Set field for any changes. Your IT department will also be able to look for activity of all domain controllers in the Active Directory with this code:

norm_id=WinServer label=Computer label=Account label=Change computer=* user=”ANONYMOUS LOGON” user_id=”S-1-5-7″ password_last_set_ts=*

Admins have the ability to monitor for Event IDs 5827 an 5828. These are triggered when Netlogon connections are denied. Event IDs 5830 and 5831 are triggered when the Group Policy allows patched domain controllers from Netlogon connections.

It’s recommended that this situation continues to be monitored, as this patch and any issues that arise from it are ongoing. At the time of publication, Microsoft has not identified any mitigating factors or workarounds for this vulnerability aside from the Zerologon patch.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates

Latest articles

UK Pressures Apple to Create Global Backdoor To Spy on Encrypted iCloud Access

United Kingdom has reportedly ordered Apple to create a backdoor allowing access to all...

Autonomous LLMs Reshaping Pen Testing: Real-World AD Breaches and the Future of Cybersecurity

Large Language Models (LLMs) are transforming penetration testing (pen testing), leveraging their advanced reasoning...

Securing GAI-Driven Semantic Communications: A Novel Defense Against Backdoor Attacks

Semantic communication systems, powered by Generative AI (GAI), are transforming the way information is...

Cybercriminals Target IIS Servers to Spread BadIIS Malware

A recent wave of cyberattacks has revealed the exploitation of Microsoft Internet Information Services...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Microsoft Sysinternals 0-Day Vulnerability Enables DLL Injection Attacks on Windows

A critical zero-day vulnerability has been discovered in Microsoft Sysinternals tools, posing a serious security threat...

7-Zip 0-Day Flaw Added to CISA’s List of Actively Exploited Vulnerabilities

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical 0-day vulnerability...

Logsign Vulnerability Allows Remote Attackers to Bypass Authentication

A critical security vulnerability has been identified and disclosed in the Logsign Unified SecOps...