- Homeland Security issued an emergency alert on Friday for a severe Windows vulnerability called Zerologon that would allow hackers to gain access to any computer of a network within minutes.
- The Cybersecurity and Infrastructure Security Agency (CISA) strongly advises all governmental agencies to upgrade their systems, urging Windows users in the private sector and the general public to do the same.
- Microsoft issued a patch in August for the issue but will follow up with another fix in the coming months.
Security researchers have identified a severe security issue affecting Windows that would allow attackers to take over computers and use them for nefarious reasons in “about three seconds in practice.” The vulnerability is so severe that Homeland Security issued a rare emergency alert on Friday, advising everyone to “go get patching,” including governmental agencies, state and local governments, the private sector, and the general public.
First detailed by Secura (via TechCrunch), the vulnerability is called Zerologon (CVE-2020-1472) and is rated the maximum in severity (or 10.0). The security issue allows attackers to control any or all computers on a vulnerable network, including the domain controllers, the servers that handle the security of the network.
Unlike other attacks, Zerologon doesn’t require the attackers to steal credentials related to a network to gain access to other computers on the network. Hackers would only need to forge an authentication token for a specific Netlogon functionality. After that, they would set the computer password of the Domain Controller to whatever they wanted. This would then give them access to the credentials of a domain admin — from Secura:
The vulnerability stems from a flaw in a cryptographic authentication scheme used by the Netlogon Remote Protocol, which among other things can be used to update computer passwords. This flaw allows attackers to impersonate any computer, including the domain controller itself, and execute remote procedure calls on their behalf.
Access to a network would then give the attackers unchecked control over other computers. Hackers would install other malicious programs, including malware or ransomware, and steal sensitive internal files.
Microsoft issued a patch in August to prevent exploitation, but that’s not a permanent fix. A second patch would roll out early next year to eradicate the matter. The CISA warning makes it clear the issue is quite severe:
Left unpatched, this vulnerability could allow attackers to compromise network identity services. We have directed agencies to implement the patch across their infrastructure by Monday, September 21, and given instructions for which of their many systems to prioritize.
CISA already “assumes active exploitation of this vulnerability is occurring in the wild.”
Conversely, the Senate is considering a bill requiring tech companies to build backdoors into their encrypted product and devices. Once hackers discover it, a backdoor would work a lot like this newfound Windows hack. Attackers would attempt to gain access to tools and abuse the security issue. That’s not to say the Zerologon security issue is a backdoor, but its severity makes it a great candidate for comparing it with one.