Those who were unable to patch their servers were asked to remove such devices from a network. The flaw is present in all supported versions of Windows.
Thanks, zerologon pic.twitter.com/21s4BIiruk— 5pm Incident (@5pmIncident) September 15, 2020
The CISA said the vulnerability was present in Microsoft Windows Netlogon Remote Protocol, a core authentication component of Active Directory.
It allows an unauthenticated attacker with network access to a domain controller to completely compromise all Active Directory identity services.
Tom Tervoort of the security firm Secura which found the flaw wrote: "In order to mitigate this issue, it is highly recommended to install Microsoft’s August 2020 security patches on all Active Directory domain controllers.
"Leaving a DC unpatched will allow attackers to compromise it and give themselves domain admin privileges. The only thing an attacker needs for that is the ability to set up TCP connections with a vulnerable DC; i.e. they need to have a foothold on the network, but don’t require any domain credentials."
The CISA said the nature of the flaw required emergency action. It gave the following reasons:
- the availability of the exploit code in the wild increasing the likelihood of any unpatched domain controller being exploited;
- the widespread presence of the affected domain controllers across the federal enterprise;
- the high potential for a compromise of agency information systems;
- the grave impact of a successful compromise; and
- the continued presence of the vulnerability more than 30 days since the update was released.
Contacted for comment, former NSA hacker Jake Williams said: "There's no question that Zerologon is bad, but it's not something that should be difficult to patch. Organisations that can't figure out how to take downtime for of all things a domain controller are already in a perilous position and honestly Zerologon isn't their biggest risk."