By Roi Shaubi | September 17, 2020

A critical Netlogon vulnerability detailed last week and patched in August by Microsoft could put operational technology (OT) networks at risk for disruption by allowing an unauthenticated attacker to gain domain-level administrator privileges.

The Netlogon service lives within Microsoft Active Directory (AD), which is used to manage domains and users, as well as authentication and authorization to network assets. Active Directory is often installed locally on an OT network or used cross-domain between IT and OT networks. Technologies such as distributed control systems (DCS), for example, may be particularly vulnerable to this bug because they often rely on AD as their main authentication repository for network credentials. Penetrating the domain controller of an industrial network could put an attacker in position to interfere with and damage business processes.

Microsoft made a patch available for CVE-2020-1472 last month, and said the patch is the first part of a phased two-part rollout. Part two of the rollout will be available in the first quarter of 2021. This vulnerability was given a CVSSv3 score of 10, the highest criticality score.

Netlogon is a remote procedure call (RPC) interface that is part of the Windows Client Authentication Architecture. Its purpose is to verify network login requests, authenticate users to domain controllers, and facilitate access to networked services. Domain controllers are common in industrial networks and often include multiple domains and domain servers.

It’s highly recommended that organizations apply this patch immediately given there are several proof-of-concept exploits that have been made public, including one confirmed by a CERT/CC analyst. This privilege escalation vulnerability may also affect Samba, which is an interoperability suite standard on Linux and Unix operating systems, and is used that provides print and file services for Windows clients, either as a domain controller or domain member.

Researchers at Secura, a security services company in the Netherlands, privately disclosed the flaw—which they call Zerologon—to Microsoft and last week published a research paper and testing tool.

Zerologon is so-named because of a 0-padding flaw in the initialization vector of the AES-CFB8 cryptographic algorithm schemes used in the Netlogon NetrServerReqChallenge authentication process in the ComputeNetlogonCredential function. Once every 256 tries—or every three seconds—an eight-zero output will likely result, one that can give an attacker access to any computer in the domain.

Once the attacker is able to bypass the Netlogon authentication calls, they may use NetrServerPasswordSet2—an unsigned and unsealed function used to set new computer passwords for the client. When setting it with zeroes, it sets an empty password that could be logged on by the attacker, who would then be able to change the password. This attack is most dangerous when applying it on the domain server because it can give an attacker domain admin privileges.

Secura cautions that unpatched domain controllers can be compromised from the same local area network, and attackers could elevate privileges to admin, or impersonate any networked device authenticating to a domain controller. This vulnerability is actually an expansion of a previously discovered vulnerability—CVE-2019-1424—a security bypass flow in Netlogon that enabled remote local administrator access to domain-joined machines using a man-in-the-middle attack.

Until phase two of the patch is available next year, Microsoft recommends installing the security update released Aug. 11, which ensures the Netlogon features that are disabled by this vulnerability are mandatory for all Netlogon authentication attempts. Users may also turn on DC enforcement mode. As Microsoft explains: “DC enforcement mode is when all Netlogon connections are either required to use secure RPC or the account must have been added to the ‘Domain controller: Allow vulnerable Netlogon secure channel connections’ group policy.”