HOME

TheInfoList



Click Here for Items Related To - Zerologon
OR:
Zerologon on:   [Wikipedia]   [Google]   [Amazon]

Zerologon (formally: ) is a privilege elevation vulnerability in
Microsoft Microsoft Corporation is an American multinational corporation and technology company, technology conglomerate headquartered in Redmond, Washington. Founded in 1975, the company became influential in the History of personal computers#The ear ...
's
authentication protocol An authentication protocol is a type of computer communications protocol or cryptographic protocol specifically designed for transfer of authentication data between two entities. It allows the receiving entity to authenticate the connecting entity ...
Netlogon Remote Protocol (MS-NRPC) , as implemented in the
Windows Windows is a Product lining, product line of Proprietary software, proprietary graphical user interface, graphical operating systems developed and marketed by Microsoft. It is grouped into families and subfamilies that cater to particular sec ...
Client Authentication Architecture and
Samba Samba () is a broad term for many of the rhythms that compose the better known Brazilian music genres that originated in the Afro-Brazilians, Afro Brazilian communities of Bahia in the late 19th century and early 20th century, It is a name or ...
. The vulnerability was first reported to Microsoft by security researcher Tom Tervoort from Secura on 17 August 2020 and dubbed "Zerologon". Zerologon was given a
Common Vulnerability Scoring System The Common Vulnerability Scoring System (CVSS) is a technical standard for assessing the severity of vulnerabilities in computing systems. Scores are calculated based on a formula with several metrics that approximate ease and impact of an exploi ...
v3.1 severity ranking of 10 by the U.S. American
National Institute of Standards and Technology The National Institute of Standards and Technology (NIST) is an agency of the United States Department of Commerce whose mission is to promote American innovation and industrial competitiveness. NIST's activities are organized into Outline of p ...
and a 5.5 by Microsoft.
Crowdstrike CrowdStrike Holdings, Inc. is an American cybersecurity technology company based in Austin, Texas. It provides endpoint security, threat intelligence, and cyberattack response services. The company has been involved in investigations of seve ...
classifies it as the most severe
Active Directory Active Directory (AD) is a directory service developed by Microsoft for Windows domain networks. Windows Server operating systems include it as a set of processes and services. Originally, only centralized domain management used Active Direct ...
vulnerability of 2020. The vulnerability allows from an unauthenticated user of the network to establish an unsafe connection to a
Domain Controller A domain controller (DC) is a Server (computing), server that responds to security authentication requests within a computer network domain. It is a Network (computing), network server that is responsible for allowing Host (network), host access to ...
(DC) and further impersonate the DC to elevate to domain admin privileges. It allows attackers to access all valid usernames and passwords in each Microsoft network that they breached. This in turn allows them to access additional credentials necessary to assume the privileges of any legitimate user of the network, which in turn can let them compromise
Microsoft 365 Microsoft 365 (previously called Office 365) is a product family of productivity software, collaboration and Cloud computing, cloud-based Software as a service, services owned by Microsoft. It encompasses online services such as Outlook.com, One ...
email accounts.


Background

The Netlogon Remote Protocol (MS-NRPC) is a Microsoft
protocol Protocol may refer to: Sociology and politics * Protocol (politics) Protocol originally (in Late Middle English, c. 15th century) meant the minutes or logbook taken at a meeting, upon which an agreement was based. The term now commonly refers to ...
used for authentication and secure communication between clients and DCs in a Windows network environment. It facilitates the exchange of authentication data and the establishment of secure channels for communication, enabling clients to authenticate against Active Directory and other network services. The protocol plays a key role in domain join operations, password changes, and other security-related tasks within a Windows domain.


Behavior

The original report by Secura explains the exploit in five steps.


Bypassing the authentication

The attack focuses on the DC of a network. MS-NRPC relies on a
challenge–response authentication In computer security, challenge-response authentication is a family of protocols in which one party presents a question ("challenge") and another party must provide a valid answer ("response") to be authentication, authenticated. The simplest exa ...
to generate a
session key A session key is a single-use symmetric key used for encrypting all messages in one communication session. A closely related term is content encryption key (CEK), traffic encryption key (TEK), or multicast key which refers to any key used for ...
from the shared secret (such as a
passphrase A passphrase is a sequence of words or other text used to control access to a computer system, program or data. It is similar to a password in usage, but a passphrase is generally longer for added security. Passphrases are often used to control ...
). To authenticate a client, the MS-NRPC client credentials are computed from the session key, an
initialization vector In cryptography, an initialization vector (IV) or starting variable is an input to a cryptographic primitive being used to provide the initial state. The IV is typically required to be random or pseudorandom, but sometimes an IV only needs to be un ...
(IV), and the client challenge using a less common
Advanced Encryption Standard The Advanced Encryption Standard (AES), also known by its original name Rijndael (), is a specification for the encryption of electronic data established by the U.S. National Institute of Standards and Technology (NIST) in 2001. AES is a variant ...
(AES) block cipher mode, namely 8-bit Cipher Feedback Mode (AES-CFB8) . This is, where the vulnerability lies. Due to the randomly chosen server secret, the computations of the session key yield in 1 out of 256 cases a session key that begins with a zero-byte. The session key is then used to encrypt the IV and the client challenge. Since the IV is all-zero by default, the client challenge can be set to an all-zero vector as well and zero-byte beginning of the session key, AES-CFB8 results in an all-zero client credential. The server computed client credentials are then compared to the client sent credentials, which an attacker has also set to all-zero. The client is now authenticated.


Disabling signing and encryption

To circumvent signing and encryption with the session key (which the attacker does not know) that is performed by MS-NRPC, an attacker can disable it by not setting a flag in the authentication RPC call.


Spoofing RPC calls

Another obstacle the attacker must overcome is the so-called authenticator value used by Netlogon, that is required for some calls. This value is computed from an incrementing value held by the client, the client credentials, and a timestamp. If the incrementing value is set to all-zero by the client and the timestamp is also set to all-zero when an RPC call is invoked, the server will set the authenticator to all-zero as well, allowing the attacker to carry out the call.


Setting the password

In the penultimate step, the password is set to an empty one, allowing the attacker to follow the normal protocol procedure from this point on.


Elevating to domain admin

It is possible for the attacker to impersonate not just any user on the domain, but the domain controller itself. Once logged in, the attacker can retrieve hashed credentials from the DC, enabling a
Pass the hash In computer security, pass the hash is a hacking technique that allows an attacker to authenticate to a remote server or service by using the underlying NTLM or LanMan hash of a user's password, instead of requiring the associated plaintext passw ...
attack and ultimately elevating to the domain administrator.


Mitigation

Microsoft addressed the Zerologon vulnerability through two security updates. A less strict one in August 2020 and a later one in February 2021 that enforces signing and encryption for MS-NRPC calls by default, with the ability to allow certain devices to handle legacy support.


Response and impact

In 2020, Zerologon started to be used by sophisticated cyberespionage campaigns of threat groups such as Red Apollo in global attacks against the automotive,
engineering Engineering is the practice of using natural science, mathematics, and the engineering design process to Problem solving#Engineering, solve problems within technology, increase efficiency and productivity, and improve Systems engineering, s ...
and
pharmaceutical Medication (also called medicament, medicine, pharmaceutical drug, medicinal product, medicinal drug or simply drug) is a drug used to diagnose, cure, treat, or prevent disease. Drug therapy ( pharmacotherapy) is an important part of the ...
industry. Zerologon was also used to hack the
Municipal wireless network A municipal wireless network is a citywide wireless network. This usually works by providing municipal broadband via Wi-Fi to large parts or all of a municipal area by deploying a wireless mesh network. The typical deployment design uses hundreds ...
of Austin, Texas. Unusually, Zerologon was the subject of an emergency directive from the
United States The United States of America (USA), also known as the United States (U.S.) or America, is a country primarily located in North America. It is a federal republic of 50 U.S. state, states and a federal capital district, Washington, D.C. The 48 ...
Cybersecurity and Infrastructure Security Agency The Cybersecurity and Infrastructure Security Agency (CISA) is a component of the United States Department of Homeland Security (DHS) responsible for cybersecurity and infrastructure protection across all levels of government, coordinating cyber ...
.


See also

*
2020 United States federal government data breach In 2020, a major cyberattack suspected to have been committed by a group backed by the Russian government penetrated thousands of organizations globally including multiple parts of the United States federal government, leading to a series of ...


References

{{Hacking in the 2020s 2020 in computing Computer security exploits