Client Advisory: Zerologon vulnerability

Learn why Zerologon carries the highest possible vulnerability severity score and what you can do to make sure your IT systems stay safe.

Cyber Advisory 3 min Thu, Aug 19, 2021

Introduction

CVE-2020-1472, or Zerologon colloquially, is a privilege escalation vulnerability within the Windows Service known as NetLogon. It allows cybercriminals to gain full control over a domain controller and, subsequently, an IT environment. Consequently, it carries a CVSS (Common Vulnerability Scoring System, a method of measuring the severity of vulnerabilities) score of 10, the highest possible.

While this vulnerability is a year old, having been originally published in August 2020, it has recently been confirmed as a favoured exploit of Conti, a renowned cybercrime organisation. If they are still using it, it may be time to make sure that you’re not vulnerable!

What is NetLogon?

NetLogon is a Windows Service that handles authentications to workstations within a domain. These authentications can be for user accounts or processes.

It is frequently open to remote access so that all the devices on a network can communicate with the domain controller.

How is it vulnerable?

Given that it is commonly accessed remotely, this provides a hacker an opening to gain access to the system and exploit the Zerologon vulnerability.

The Zerologon vulnerability is a weakness in the algorithm used to authenticate a user or service that can be exploited by a brute-force attack. Exploiting this creates an insecure session on the target host.

Once an attacker has access, they can reset the domain admin password, giving them complete control over the system, including the ability to cover their tracks.

How can this be mitigated?

Thankfully, this vulnerability being a year old means that we do not have to wait for the relevant patches to be released. They’re already out there!

Windows released the patch for this issue over two stages, these were released in August 2020 and February 2021, meaning all that you need to do to be secure is update your system to the most recent version. If this isn’t feasible for your business then that’s ok too. You just need to update to a version released after the patch was implemented.