2021 Prediction #3: Zerologon Will Continue to Haunt Us Into 2021

Let’s continue stepping through my eight predictions for 2021!  So far, we’ve been talking mainly about attacks like ransomware and digital reputation attacks. Today, we’re going to switch it up by discussing not an attack to defend against but a vulnerability to patch, with prediction #3: Zerologon will continue to haunt us into 2021.

Zerologon is bad. Really bad.

Zerologon is a critical vulnerability in the Windows Netlogon Remote Protocol (MS-NRPC), which Microsoft disclosed in August 2020 in CVE-2020-1472. A flaw in a protocol may not sound like such a bad thing, but Netlogon is a core authentication component of Active Directory — basically, it provides a secure channel between computers and domain controllers (DCs).

As a result, Zerologon is a doozy of a vulnerability. By exploiting it, a hacker can impersonate any computer, including the root domain controller. It’s actually hard to overstate how bad that could be for an organization. A successful attacker can do just about anything they please in your IT environment.

What’s worse, according to Dutch security firm Secura, a malicious actor needs just one thing to take advantage of Zerologon: the ability to set up a TCP connection with a vulnerable domain controller. That means they need to have a foothold on the network but — importantly — they don’t need domain credentials. It also means that it’s not just domain controllers that are reachable from the internet that are vulnerable; Zerologon gives any cybercriminals who already have a foothold in your network a golden opportunity for privilege escalation. As long as the Zerologon flaw remains on even one of your domain controllers, your entire IT infrastructure is vulnerable.

Not surprisingly, the industry-standard Common Vulnerability Scoring System (CVSS) assigned Zerologon a score of 10, the maximum severity rating for a software flaw.

Yes, you need to be worried!

It’s true that some vulnerabilities are mostly theoretical — someone could conceivably take advantage of them but the effort involved is so great and yields so little benefit that it’s unlikely anyone would bother. That’s definitely not the case with Zerologon.

Because the flaw is relatively simple to exploit and delivers nearly godlike powers, it is most definitely being actively targeted by malicious actors. In fact, several versions of weaponized proof-of-concept exploit code have been published online in freely downloadable form — the first of which was published mere hours after Secura posted details about the vulnerability on September 14. Clearly, Zerologon is so easy to exploit that hackers don’t need either much time or much skill.

Later in September, Microsoft’s Security Intelligence unit confirmed Zerologon attacks in the wild, tweeting, “We have observed attacks where public exploits have been incorporated into attacker playbooks.” At the end of October, Microsoft’s VP of Engineering issued a warning about the continued exploitation of Zerologon and again urged all customers to take action ASAP.

Homeland Security’s Cybersecurity & Infrastructure Security Agency (CISA) even issued a rare emergency directive requiring all civilian government agencies to take action against Zerologon immediately, leading at least one cybersecurity expert to speculate that some federal departments might have already fallen victim to vulnerability.

If you haven’t updated your DCs, do it ASAP.

Back on August 11 (Patch Tuesday), Microsoft released Windows updates that all organizations were strongly advised to deploy promptly on all DCs. These updates address the security issue for Active Directory domains and trusts, as well as devices running a supported version of Windows.

To mitigate the security issue for third-party devices, organizations also need to enable DC enforcement mode for all machine accounts using the new FullSecureChannelProtection registry key. With enforcement mode active, DCs will deny vulnerable Netlogon secure channel connections.

Why Zerologon will continue making life difficult into 2021.

Sounds great, right? Why am I predicting Zerologon will continue to be a thorn in the side of admins and cybersecurity pros in 2021? Part of the problem is that many organizations haven’t yet bothered to apply the August updates from Microsoft! Clearly, those IT pros are going to have their hands full.

But there’s another catch: Applying the patch and activating enforcement mode can break legitimate business processes. Your organization might very well have machine accounts that rely on vulnerable Netlogon connections; blocking those connections will disrupt any business process that depends upon them.

The workaround is to make exceptions to enforcement mode for any non-compliant devices you need to continue using. You can do that by using the allow list in the new Group Policy “Domain controller: Allow vulnerable Netlogon secure channel connections.” But then you’re allowing at least some vulnerable connections! As Microsoft puts it: “Any device in the allow list will be allowed to use vulnerable connections and could expose your environment to the [Zerologon] attack.”

Microsoft is fully aware that the August patch and associated steps are only a partial solution to the Zerologon vulnerability. Accordingly, they are planning a second phase for the mitigation strategy, which is scheduled for February 2021. At that time, enforcement mode will be enabled on all Windows DCs and you will not be able to disable it. Therefore, you need to either (A) ensure that your business no longer relies on any non-compliant devices or (B) add every one of the devices you do need to the Group Policy allow list and accept the associated risk.

Closely monitoring changes and other activity in your network is a security best practice no matter what, but if you put any device on that allow list, continuous auditing is absolutely critical. In particular, you want to know when any account accesses services and objects it doesn’t normally use, and lock down your most important AD objects from being modified in the first place.

Stay tuned…

That’s it for my third prediction for 2021! Next up is #4: People will remember the hard way that they have Group Policy.

About the Author

Jennifer LuPiba

Jennifer LuPiba is the Chair of the Quest Software Customer Advisory Board, engaging with and capturing the voice of the customer in such areas as cybersecurity, disaster recovery, management and the impact of mergers and acquisitions on Microsoft 365, Azure Active Directory and on-premises Active Directory. She also writes thought leadership articles and blogs aimed at the c-suite to evangelize the importance of these areas to their overall business. She chairs The Experts Conference, a yearly event focused on pure Active Directory and Office 365 training at the 300 and 400 level for the boots-on-the-ground Microsoft admins and managers.

Related Articles