The exploit code for a fatal privilege escalation bug in Netlogon Remote Protocol for domain controllers in Windows networks has now been released. Users are encouraged to apply the security patch released by Microsoft in August as soon as possible.
The bug in the NRP was found by the Dutch security provider Secura researcher Tom Tervoort.
While details of the Zerologon vulnerability were not released in August, Secura has now provided full details of the bug.
Today, security researcher Dirk-jan Mollenma published a proof of concept for the vulnerability on Github, which has the full 10.0 out of 10 possible severity levels of the Common Vulnerability Scoring System (CVSS).
The Zerologon bug allows an attacker caught on an internal Windows network to simply send a series of Netlogon messages, zero different fields, and change a domain controller̵
Zerologon (CVE-2020-1472): 100% reliable domain administrator rights instantly through unauthenticated network access to DC. The Craziest Windows Domain Vulnerability Ever. The original description of @SecuraBV with the test tool can be found here: https://t.co/6hNvMOrucI pic.twitter.com/M8RMB82ZOy
– an0n (@ an0n_r0) September 14, 2020
“The attack has enormous effects: in principle, any attacker in the local network (e.g. a malicious insider or someone who has simply connected a device to a local network port) can completely compromise the Windows domain,” wrote Tervoort.
Ransomware criminals in particular are likely to exploit the Zerologon vulnerability.
Microsoft has now fixed the bug that lies in the Netlogon cryptographic system, and Tervoort’s tests show that the Zerologon vulnerability does not work with the August patch applied.
Another tightening of the NRP will be made by Microsoft in February next year when enforcement mode is enabled for the protocol by default.
This enables secure NRP communication for devices that require administrators to update devices connecting to their networks or whitelist devices that do not support the more secure protocol.
Secura has also published a Python script on Github to test whether a domain controller is vulnerable.