How vulnerabilities like Zerologon can impact your cyber risk ratings

How vulnerabilities like Zerologon can RiskXchange The leader in Third-Party Cyber Risk Management
Vulnerabilities like Zerologon are not a problem for RiskXchange.

The Zerologon (CVE-2020-1472) vulnerability was recently identified by the National Security Agency (NSA) as one of the top 25 vulnerabilities being exploited by Chinese state-sponsored actors to hack organisations all over the world.

RiskXchange advises businesses globally to act immediately to protect their assets against Zerologon. Whether it is your organisation, or the organisations that comprise your supply chain, the Zerologon vulnerability has the potential to cause a substantial amount of harm or damage.

The impact of Zerologon

Zerologon affects Windows servers, mainly Domain Controllers. This vulnerability allows attackers to gain administrative access to the Domain Controller by taking advantage of a cryptographic vulnerability in the Windows Netlogon service. Zerologon can also affect Linux Samba servers in a certain configuration.

The Secura white paper states that this attack has a huge impact: it basically allows any attacker on the local network (such as a malicious insider or someone who simply plugged in a device to an on-premise network port) to completely compromise the Windows domain. 

Many have suggested that this vulnerability can only be exploited from the inside of a corporate network, but it is possible to exploit it over the Internet. An attacker only needs to be able to reach the Netlogon service on the target machine and know the computer name of the target machine to execute this attack. Zerologon is also being leveraged by Ransomware groups.

How Zerologon works

Within their white paper, researchers from Secura explain in detail why the flaw exists and how it works. MS-NRPC’s handshake and authentication involves the use of AES-CFB8 (8-bit cipher feedback) mode. This is a more obscure variant of the AES block cipher that is designed to work with blocks of 8 bytes of input instead of the regular 16 bytes (128-bit).

“In order to be able to encrypt the initial bytes of a message, an Initialisation Vector (IV) must be specified to bootstrap the encryption process,” Secura researcher Tom Tervoort said in the white paper. “This IV value must be unique and randomly generated for each separate plaintext that is encrypted with the same key. The ComputeNetlogonCredential function [of the MS-NRPC protocol], however, defines that this IV is fixed and should always consist of 16 zero bytes. This violates the requirements for using AES-CFB8 securely: Its security properties only hold when IVs are random.”

Tervoort states that because of this implementation error for 1 in 256 keys, applying AES-CFB8 encryption to an all-zero plaintext will result in all-zero ciphertext. In the context of MS-NRPC, the attacker impersonating a client can send a challenge during the handshake made up of 8-bytes of zeros and keep retrying for 256 times until the server will accept it, bypassing authentication. 

Is there an alert or patch?

The Zerologon vulnerability has been patched by Microsoft in their Patch Tuesday cycle in August 2020. The United States CISA has issued an alert, urging administrators to patch all domain controllers immediately. The NSA recently issued an alert highlighting Zerologon as a Top 25 vulnerability being exploited by Chinese state-sponsored actors.

How RiskXchange can be of service

RiskXchange is one of the firms leading the fight against cybercrime, coming up with novel solutions to everyday problems experienced at the hands of hackers. We have developed an innovative way to reduce an attack surface and allow organisations to manage them at the same time. Vulnerabilities like Zerologon are not a problem for RiskXchange.

With full visibility over your eco-systems’ entire attack surface in near real-time, you can regularly monitor and mitigate risks to prevent unnecessary exposures. Our passive data collection methods are effective and have no impact on your network performance. Using data-driven insights to prevent breaches is the best way to prevent cyberattacks. 

About RiskXchange

RiskXchange provides a powerful AI-assisted, yet simple automated and centralised 360-degree cybersecurity risk rating management approach. We generate objective and quantitative reporting on a company’s cybersecurity risk and performance, which enables organisations with evolving business requirements to conduct business securely in today’s open and collaborative digital world. 

RiskXchange is an information security technology company, which helps companies of all sizes fight the threat of cyber threats by providing instant risk ratings for any company across the globe. RiskXchange was founded and is led by recognised experts within the security industry, who have held leading roles within companies such as IBM Security. 

Find out more here.