Secura’s Tom Tervoort recently revealed the details for why you should have zero tolerance when patching ZeroLogon available in this white paper. There is also a proof of concept (POC) exploit now available on github. This vulnerability takes advantage of what is referred to as “a flaw in a cryptographic authentication scheme used by the Netlogon Remote Protocol” in Secura’s summary.
So what does this mean and why is it important? While the vulnerability was disclosed previously and subsequentially patched by Microsoft, the release for the POC on September 11th, means that the attack is now easier to carry out. It requires less skill, and the vulnerability increases in risk because of the lack of complexity for the attack. It was already classified a 10.0 on a scale from 1 (lowest priority) to 10 (highest priority.) This type of attack can give threat actors access to the computer that is the controller for all the computers in a Windows domain (domain controller) resulting in the compromise of all associated accounts.
This isn’t the first disclosure of a bug in Netlogon by Tervoort. Much like previous SMB, Intel, RDP, Citrix, or other vulnerabilities, there has been a progression over time to dig around a little more and find that there are new problems with the same technology. Hopefully the evolution of DevSecOps can help with it’s “Shift Left” mentality to work on securing applications and protocols during the development phases. These problems may be much cheaper to fix in the beginning, even if it does result in companies shelling out more money for software in the long run.