[German]I bring up the Zerologon vulnerability issue again. Microsoft warns that attackers actively use the Windows Server Zerologon exploits for attacks. Windows Server administrators should urgently install the necessary security updates. But Samba servers are also vulnerable. Here is some more information on this topic.
The Zerologon vulnerability (CVE-2020-1472)
I had the topic several times in my blog (see links at the end of this article). The Zerologon vulnerability (CVE-2020-1472) is a Privilege Escalation vulnerability due to the insecure use of AES-CFB8 encryption for Netlogon sessions. The vulnerability allows the takeover of Active Directory Domain Controllers (DC) – even remotely, if reachable via network/Internet – by unauthorized attackers.
I covered the topic within my blog post Windows Server: Zerologon vulnerability (CVE-2020-1472) allows domain hijacking. Last weekend the US Cyber Security and Infrastructure Security Agency (CISA) issued a warning and an emergency order giving the US government authorities a four-day deadline to implement a Windows Server patch against the Zerologon vulnerability (CVE-2020-1472) (see CISA Warning: Patch your Windows Servers against CVE-2020-1472 (Zerologon)).
Patches for Windows Server and Samba Server available
Microsoft closes the vulnerability in two stages, as can be read in the support article KB4557222. With the security update of August 11, 2020 (see link list at the end of the article), the first stage of protection was initiated. This means that protection is now possible for the supported Windows Server variants.
However, for Windows Server 2008 R2, the patch is only available for customers who have purchased the Microsoft ESU program for a fee (which is virtually impossible without a volume license agreement). If you didn’t get a patch for Windows Server 2008 R2, I refer you to the alternative solution of 0patch (see 0patch fixes Zerologon (CVE-2020-1472) vulnerability in Windows Server 2008 R2).
What I didn’t noticed until a few days ago: Samba servers running Linux are also affected by the Zerologon vulnerability. The Samba team has released a security update to close the critical vulnerability CVE-2020-1472 in Samba 4.0 and higher. This vulnerability could allow a remote attacker to take control of an affected system. Samba 8.0 and higher does not have this vulnerability unless the smb.conf configuration file is modified (see notes from the Samba team).
How to detect an infection?
Finally, a short note for administrators who face the problem of having to detect an infection via the Zerologon vulnerability. The Hacker News give a little help in this article. The security vendor Cynet not only explained the cause of the problem, but also gave details about some critical artifacts. These can be used to detect active exploitation of the vulnerability.
This includes a certain memory pattern in the memory of the lsass.exe process and an abnormal increase in traffic between lsass.exe and the attacker’s systems. “The best documented artifact is Windows Event ID 4742 ‘A computer account has been changed’, often combined with Windows Event ID 4672 ‘Special permissions for new logon'”, write Cynet security people.
To help Windows server administrators quickly detect similar attacks, Cynet security experts have published a YARA rule for their own software. For real-time monitoring, they have also made available a simple tool for downloading (Cynet-Zerologon-Detector.zip). The Cynet Zerologon Detector is an executable application that can be installed and uninstalled via batch file. Details can be read in this Cynet article.
There is also the open source package Zeek to detect the attacks. Meanwhile, the vendors of SIEMS solutions have also taken precautions to detect Zerologon attacks, as I just found out during a quick internet search. Perhaps it will help.
Es gibt zudem das Open Source-Paket Zeek zur Erkennung der Angriffe. Inzwischen haben die Anbieter von SIEMS-Lösungen ebenfalls Vorkehrungen zur Erkennung von Zerologon-Angriffen getroffen, wie ich bei einer schnellen Internetsuche gerade feststelle. Vielleicht hilft es weiter.
Windows Server: Zerologon vulnerability (CVE-2020-1472) allows domain hijacking
0patch fixes Zerologon (CVE-2020-1472) vulnerability in Windows Server 2008 R2
CISA Warning: Patch your Windows Servers against CVE-2020-1472 (Zerologon)
Windows Domain Controller suddenly generate EventID 5829 warnings (August 11, 2020)
Windows 10 V1607: Update KB4571694 creates ID 5827 events, bricks MMC