Microsoft warned Windows 10 users as they received a “small number of reports” from customers and others on a vulnerability affecting the Netlogon protocol (CVE-2020-1472).
It is a Windows Server process that authenticates users and other services within a domain. Netlogon will continuously run in the background unless it is stopped manually or by a runtime error. Since it is a service and not an application
The protocol which has flaws that used by the admin for authenticating Windows Server was serious enough for the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) to order US government agencies to apply Microsoft’s patch for the bug – tracked as CVE-2020-1472 but also called Zerologon.
Defensive researchers brought us to notice that the bug would be a prime target for attackers and easy to exploit. Though Microsoft released the patch on Tuesday, August 11 but some system admins would not be aware of the flaw.
Microsoft in a blog added that “contacted the Cybersecurity and Infrastructure Security Agency (CISA) which has issued an additional alert to remind state and local agencies, including those involved in the U.S. elections, about applying steps necessary to address this vulnerability.”
Subscribe to get latest security news:- Twitter
By spoofing the Active Directory domain controller accounts the attackers could run malware on a device. As a weapon, it had the added bonus of publicly available proof-of-concept Zerologon exploits soon after Microsoft released its patch.
Moreover, the Windows Server domain which was widely used in US government networks. Where the bug had a rare severity rating of 10/10. Also, on Microsoft’s August 11 patch release, CISA warned agencies to apply the patch on the same week as
Microsoft has updated the FAQs in that original guidance from August to provide further clarity.
- UPDATE your Domain Controllers with an update released August 11, 2020, or later.
- FIND which devices are making vulnerable connections by monitoring event logs.
- ADDRESS non-compliant devices making vulnerable connections.
- ENABLE enforcement mode to address CVE-2020-1472 in your environment.
It recommends that admins update Domain Controllers with the patch, monitor logs for devices making connections to the server, and to enable enforcement mode.