09/15/2020 | News release | Distributed by Public on 09/15/2020 13:56
On Sept 11, 2020, A Dutch team, collectively known as Secura, published an exploit on how an unauthenticated remote user can take control over the domain controller and leverage admin privileges. The vulnerability (CVE-2020-1472) received the maximum severity rating score of 10.0 based on CVSS v3 Scoring system.
The prime elements of this vulnerability are the weak encryption standards and the authentication process used in the Netlogon protocol. As new Windows Domain Controllers use standard AES-256 as encryption standards, incorrect use of the AES mode results in spoofing the identity of any computer (DC) account and replace it with all zeroes or empty passwords. As the final output replaces all characters of the password with zeroes, this bug is also well-known as 'Zerologon'.
A complete list of affected devices is available on Microsoft's August 2020 security advisory.
The first step in managing vulnerabilities and reducing risk is identification of assets. Qualys VMDR makes it easy to identify Windows systems.
(operatingSystem.category1:Windows and operatingSystem.category2:Server)
Once the hosts are identified, they can be grouped together with a 'dynamic tag', let's say - 'Zerologon'. This helps in automatically grouping existing hosts with Zerologon as well as any new Windows server that spins up in your environment. Tagging makes these grouped assets available for querying, reporting and management throughout the Qualys Cloud Platform.
Now that hosts with Zerologon are identified, you want to detect which of these assets have flagged this vulnerability. VMDR automatically detects new vulnerabilities like Zerologon based on the always updated Knowledgebase.
You can see all your impacted hosts for this vulnerability tagged with the 'Zerologon' asset tag in the vulnerabilities view by using this QQL query:
OR you could modify your search to :
Vulnerability - vulnerabilities.vulnerability.qid:91668
Asset - (operatingSystem.category1:Windows and operatingSystem.category2:Server)
This will return a list of all impacted hosts.
QID 91668 is available in signature version VULNSIGS-2.4.958-3 and above and can be detected using authenticated scanning or the Qualys Cloud Agent manifest version 2.4.958.3-2 and above.
Using VMDR, the Zerologon vulnerability can be prioritized for the following real-time threat indicators (RTIs):
VMDR also enables you to stay on top of these threats proactively via the 'live feed' provided for threat prioritization. With 'live feed' updated for all emerging high and medium risks, you can clearly see the impacted hosts against threats.
Simply click on the impacted assets for the Zerologon threat feed to see the vulnerability and impacted host details.
With VM Dashboard, you can track Zerologon, impacted hosts, their status and overall management in real-time. With trending enabled for dashboard widgets, you can keep track of Zerologon vulnerability trends in your environment using (link to DB****).
VMDR rapidly remediates the Windows hosts by deploying the most relevant and applicable per-technology version patches. You can simply select 'cve:`CVE-2020-1472`' in the Patch Catalog and filter on the 'Missing' patches to identify and deploy the applicable, available patches in one go for hosts grouped together by a tag - Zerologon.
For proactive, continuous patching, you can create a job without a Patch Window to ensure all hosts will continue to receive the required patches as new patches become available for emerging vulnerabilities.
Users are encouraged to apply patches as soon as possible.
Users are advised to review their Microsoft Windows installations with Microsoft's August 2020 security advisory mentioned above. For Windows devices, a patch to be published in Feb 2021 would disable the 'enforcement mode' by default.
Start your Qualys VMDR trial for automatically identifying, detecting and patching the high-priority Zerologon vulnerability CVE-2020-1472.