Patch now! Attacks on the zero logon vulnerability in Windows Server

Microsoft warns of attacks on a critical vulnerability in various Windows server versions. Samba is also affected.

Windows admins should update their servers quickly to protect against attacks. By successfully exploiting the “critical” In the so-called zero logon vulnerability, attackers could take over entire domains with admin rights.

The vulnerability (CVE-2020-1472) has the highest possible CVSS score of 10 out of 10. Security updates have been available since patch day in August. Microsoft has listed the affected Windows server versions in an official warning.

The first exploit appeared in mid-September code on. Microsoft has now observed the first attacks and published information on Twitter. They advise admins to update their servers immediately. Microsoft has compiled further security tips in a support article.

Due to errors in the use of AES-CFB8 encryption in the Netlogon process, remote attackers could without authentication via the Netlogon Remote Protocol (MS-NRPC) establish a connection to a domain controller.

For this to work, attackers would only have to send Netlogon messages prepared with zeros in certain places, according to the report by the discoverers of the Secuva vulnerability. For example, admin access data could leak. Admins can use a test script to check their domain controllers for vulnerabilities.

Samba is only vulnerable to zero logon if the server software is used as a domain controller (Active Directory DC, /NT4-style DC).

If this is the case, admins should ensure that at least version 4.8 from March 2018 is installed. According to a warning message from the Samba developers, this defaults to a secure Netlogon process.

Whether this zero-logon-secured login process is active can be seen from the “server schannel = yes” entry in the smb configuration file. conf. But if it says “no” or “auto”, Samba 4.8 is also vulnerable to zero logon attacks. This is the case with 4.7 and younger. The Samba developers recommend installing the recently released versions 4.10.18, 4.11.13 or 4.12.7.

Rate article
Leave a Reply