It was recently discovered that a new Critical vulnerability, named Zerologon, has been found for windows which is so severe that the Common Vulnerability Scoring System (CVSS) has given it a score of 10 out of 10 and Microsoft itself has rated it as a severe vulnerability.
What is Zerologon?
The vulnerability was found in Netlogon which is the protocol used by Windows systems to authenticate against a Windows Server running as a domain controller. The vulnerability in Netlogon allows for attackers to:
- Impersonate the identity of any of computer on your network during an authentication attempt on a domain controller
- Disable security features in the Netlogon authentication process
- Change a computer’s password on the domain controller’s Active Directory
The only limitation for the vulnerability is that the attack can only be done if the threat actors already have gotten into your network.
What can I do?
Firstly, it is highly recommended that you update your Microsoft security to avoid this vulnerability. This is the most important step into making sure that your network is not affected by this critical vulnerability. You can find the Microsoft security advisory CVE-2020-1472 here.
If patching cannot be done immediately, one way to help mitigate an attack is to prevent attackers from getting into the network. As stated above, the limitation of this attack is centered on them getting inside the network, however, once they do, it means that they will be able to take control of your whole network.
Trend Micro Solution
For our Trend Micro customers, Deep Security or Apex One can be used to do virtual patching to help mitigate the attacks to help ensure that your network is safe. Below are the IPS rules that may help you strengthen your defense if patching cannot be done immediately:
IPS Rules
Deep Security and Cloud One – Workload Security, Vulnerability Protection and Apex One Vulnerability Protection (iVP)
- Rule 1010519 – Microsoft Windows Netlogon Elevation of Privilege Vulnerability (CVE-2020-1472)
- Rule 1010521 – Microsoft Windows Netlogon Elevation of Privilege Vulnerability Over SMB (CVE-2020-1472)
Please note that both rules are already set to Prevent.
Other Inspection / Detection Rules
Deep Discovery Inspector
- Rule 4453: CVE-2020-1472_DCE_RPC_ZEROLOGON_EXPLOIT_REQUEST
- Rule 4455: CVE-2020-1472_SMB2_ZEROLOGON_EXPLOIT_REQUEST
For those interested in learning more about the attacks, Trend Micro is also hosting a webinar this coming September 29, 2020 to talk more in detail about the vulnerability. You can register for the free webinar here.
If you have any questions with regards to either Zerologon or the Trend Micro solution to help prevent the attacks, please just contact us via email (rcruz@www.ctlink.com.ph) or through our landline 88939515 and we would be happy to answer your inquiries!