Skip to main content
Cyber Security

Zerologon Vulnerability: What It Is and How To Get Protected

By October 15, 2020November 4th, 2020No Comments

Your systems could be vulnerable.

Like tyres, code can sometimes be discovered to have holes. In the case of your vehicle, a tyre with a hole will leak air and become useless. When it comes to your computer programs, the hole could be a bug that requires a quick fix. It could also be a security vulnerability that leaves the software or application open to attack.

Just as tyres are patched, so is code. To put it simply, a patch is a set of changes made to a computer program with the intent to upgrade, fix, or improve it. Patches are particularly important in the cybersecurity field, as they can get rid of identified vulnerabilities to ensure that an organisation’s systems and software are secure.

A recent vulnerability identified in Microsoft Windows’ Netlogon Remote Protocol has had people, companies, and agencies worldwide concerned.


The Zerologon Vulnerability

Announced in September 2020, the vulnerability known as the Zerologon vulnerability (officially CVE-2020-1472) is a significant one. It reached the highest rating of 10 under the Common Vulnerability Scoring System (CVSS).

The bug essentially leaves Microsoft Active Directory domain controllers vulnerable to attack. By exploiting the logon process flaw (the initialization vector being set to all zeros although it should always be a random number), hackers can impersonate domain controllers and carry out DOS attacks or insert malware into networks.

A security update patch was released on the 11th of August, but Microsoft later announced in a blog post that they had received reports of continued activity exploiting Zerologon. The time between patches being deployed and them being installed and put into effect unfortunately relies on the promptness of all users in updating their systems—and this can be many months. This means that the Zerologon vulnerability will still be unfixed and exploitable in many networks.


The patch

In a blog post addressing the continued issue of Zerologon, VP Engineering Aanchal Gupta said this:

“Deploying the August 11, 2020 security update or later release to every domain controller is the most critical first step toward addressing this vulnerability. Once fully deployed, Active Directory domain controller and trust accounts will be protected alongside Windows domain-joined machine accounts.”

Microsoft also noted that organisations should activate enforcement mode for further protection in their environment. This lets the domain controllers know that they must not allow Netlogon connections from any devices without secure RPC unless they have been added to a specific group policy.

The patch is effective, but for extra security an updated patch is expected to be released in February 2021. This will address any workarounds that hackers might come up with.


The importance of updates

This dangerous vulnerability in a widely-used application highlights the importance of regular security updates. If you have not yet done so, apply any recent Microsoft updates to all computers and networks.

Security updates can be a chore. However, they are crucial to keeping your devices and networks secure. In the current climate with many employees working remotely, it’s important to remind everyone regularly to install any available updates as soon as possible. Anyone in an organisation responsible for cybersecurity should also be keeping up to date with the latest news and threats to ensure a speedy response.

If you need help creating a system security plan that ensures the best possible security for your company, get in touch with CANDA. As NZ’s cybersecurity experts, they can risk assess and certify your systems to guard against cyberattacks of all kinds.

Leave a Reply