A critical Netlogon vulnerability detailed last week and patched in August by Microsoft could put operational technology (OT) networks at risk for disruption by allowing an unauthenticated attacker to gain domain-level administrator privileges.
The Netlogon service lives within Microsoft Active Directory (AD), which is used to manage domains and users, as well as authentication and authorization to network assets. Active Directory is often installed locally on an OT network or used cross-domain between IT and OT networks. Technologies such as distributed control systems (DCS), for example, may be particularly vulnerable to this bug because they often rely on AD as their main authentication repository for network credentials. Penetrating the domain controller of an industrial network could put an attacker in position to interfere with and damage business processes.
Microsoft made a patch available for CVE-2020-1472 last month, and said the patch is the first part of a phased two-part rollout. Part two of the rollout will be available in the first quarter of 2021. This vulnerability was given a CVSSv3 score of 10, the highest criticality score.
Netlogon is a remote procedure call (RPC) interface that is part of the Windows Client Authentication Architecture. Its purpose is to verify network login requests, authenticate users to domain controllers, and facilitate access to networked services. Domain controllers are common in industrial networks and often include multiple domains and domain servers.
It's highly recommended that organizations apply this patch immediately given there are several proof-of-concept exploits that have been made public, including one confirmed by a CERT/CC analyst. This privilege escalation vulnerability may also affect Samba, which is an interoperability suite standard on Linux and Unix operating systems, and is used that provides print and file services for Windows clients, either as a domain controller or domain member.
Researchers at Secura, a security services company in the Netherlands, privately disclosed the flaw—which they call Zerologon—to Microsoft and last week published a research paper and testing tool.
Zerologon is so-named because of a 0-padding flaw in the initialization vector of the AES-CFB8 cryptographic algorithm schemes used in the Netlogon NetrServerReqChallenge authentication process in the ComputeNetlogonCredential function. Once every 256 tries—or every three seconds—an eight-zero output will likely result, one that can give an attacker access to any computer in the domain.
Once the attacker is able to bypass the Netlogon authentication calls, they may use NetrServerPasswordSet2—an unsigned and unsealed function used to set new computer passwords for the client. When setting it with zeroes, it sets an empty password that could be logged on by the attacker, who would then be able to change the password. This attack is most dangerous when applying it on the domain server because it can give an attacker domain admin privileges.
Secura cautions that unpatched domain controllers can be compromised from the same local area network, and attackers could elevate privileges to admin, or impersonate any networked device authenticating to a domain controller. This vulnerability is actually an expansion of a previously discovered vulnerability—CVE-2019-1424—a security bypass flow in Netlogon that enabled remote local administrator access to domain-joined machines using a man-in-the-middle attack.
Until phase two of the patch is available next year, Microsoft recommends installing the security update released Aug. 11, which ensures the Netlogon features that are disabled by this vulnerability are mandatory for all Netlogon authentication attempts. Users may also turn on DC enforcement mode. As Microsoft explains: "DC enforcement mode is when all Netlogon connections are either required to use secure RPC or the account must have been added to the 'Domain controller: Allow vulnerable Netlogon secure channel connections' group policy."
CWE-79 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION ('CROSS-SITE SCRIPTING')
The affected product is vulnerable to a reflected cross-site scripting vulnerability, which could allow a remote attacker to execute arbitrary JavaScript on the victim's browser.
Zenitel recommends users to upgrade to Version 9.3.3.0 or later.
CVSS v3: 9.8
CWE-787 OUT-OF-BOUNDS WRITE
The affected product is vulnerable to an out-of-bounds write vulnerability, which could allow a remote attacker to crash the device.
Zenitel recommends users to upgrade to Version 9.3.3.0 or later
CVSS v3: 7.6
CWE-78 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND ('OS COMMAND INJECTION')
An OS command injection vulnerability exists due to incomplete validation of user-supplied input. Validation fails to enforce sufficient formatting rules, which could permit attackers to append arbitrary data. This could allow an unauthenticated attacker to inject arbitrary commands.
Zenitel recommends users to upgrade to Version 9.3.3.0 or later
CVSS v3: 9.8
CWE-78 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND ('OS COMMAND INJECTION')
An OS command injection vulnerability exists due to insufficient sanitization of user-supplied input. The application accepts parameters that are later incorporated into OS commands without adequate validation. This could allow an unauthenticated attacker to execute arbitrary commands remotely.
Zenitel recommends users to upgrade to Version 9.3.3.0 or later.
CVSS v3: 9.8
CWE-78 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND ('OS COMMAND INJECTION')
An OS command injection vulnerability exists due to improper input validation. The application accepts a parameter directly from user input without verifying it is a valid IP address or filtering potentially malicious characters. This could allow an unauthenticated attacker to inject arbitrary commands.
Zenitel recommends users to upgrade to Version 9.3.3.0 or later
CVSS v3: 9.8
