The Zerologon Vulnerability Allows Attackers to Hijack Windows Domain Controller


Please find below a comment from Satnam Narang about ‘Zerologon’, a vulnerability in Netlogon that could allow attackers to hijack Windows domain controller. The attack requires local network access, and therefore cannot be performed directly over the internet. However, once an attacker has a foothold in the target environment, they can change the administrator password on any Windows Domain Controller they can reach. Exploit scripts are already available on GitHub hence; organizations are strongly encouraged to apply patches provided by Microsoft immediately.

The disclosure of the ‘Zerologon’ vulnerability, identified as CVE-2020-1472, is a significant finding, as an attacker could exploit this flaw to reset the password of the domain administrator on an organization’s domain controller. This scenario is a game over situation for any organization.

The impact of the flaw is limited to an attacker who has already gained a foothold inside an organization’s network. Despite this limitation, an attacker could leverage any number of existing unpatched vulnerabilities to breach their target network before pivoting to compromise the vulnerable domain controller. Additionally, we foresee this flaw being a compelling addition to the toolkit of ransomware gangs, who have already wreaked havoc on private organizations, educational institutions and governments over the last few years.

As we’ve already seen several exploit scripts for this vulnerability published to GitHub, which provides a blueprint for defenders and attackers, we strongly encourage organizations to apply the patches provided by Microsoft immediately. If your domain controllers are running unsupported versions that are no longer receiving security updates from Microsoft, it is imperative to upgrade those as soon as possible.” – Satnam Narang, Staff Research Engineer Security Response.

Please click here to view the full blog.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: