Microsoft's Patch Tuesday for August 2020 addressed 120 vulnerabilities, including two zero-days and one elevation-of-privilege flaw in the Netlogon remote protocol that initially flew under the radar for many.
Over the following months, that Netlogon vulnerability quickly became the primary focus among security teams. The flaw became a component of advanced persistent threat (APT) toolkits and became the subject of an alert from the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA), which later issued an Emergency Directive requiring executive branch departments and agencies to apply the fix.
One year after its initial release, we take a look back at why the bug was first overlooked, what makes it so dangerous, and how it has been weaponized by threat groups around the world.
CVE-2020-1472, now known as Zerologon, had a CVSS 3.0 score of 8.8 when it was released on Aug. 11, 2020. That's high for a privilege escalation bug, but not high enough to make it a top priority in a month when businesses had to worry about patching two vulnerabilities under active attack, and a year in which Patch Tuesday delivered at least 100 fixes for most months.
Later that day, Microsoft quietly revised its update and assigned CVE-2020-1472 a CVSS score of 10.0 — "which is huge," says Tenable researcher Claire Tills. An 8.8 is critical, but security teams see many of those. "A 10.0 is rare, especially for a privilege escalation vulnerability. To get a 10.0, that is red flags all over the place. But nobody noticed until a month later," when Secura principal security specialist Tom Tervoort, who discovered the bug, published a white paper on his findings.
Tills hypothesizes this is because organizations that automatically scrape Patch Tuesday feeds received the information indicating an 8.8 CVSS score and not the 10.0. Much of the analysis written that day was based on the same data, with many blog posts and articles focusing more on the two vulnerabilities under attack. Security teams looking for the highest-priority bugs may have missed Microsoft's CVSS score revision and upgrade to "Exploitation More Likely."
Several experts mentioned Zerologon as noteworthy, however, and there are a few reasons why it should have raised eyebrows. The key factor that caused researchers' concern was its existence in the Netlogon protocol.
"This is what we see as a trend with a lot of attackers, a ubiquitous protocol like Netlogon … attackers love those because they are looking for a vulnerability that will get them bang for buck," Tills explains. Attackers generally know an enterprise target will have this enabled.
The 8.8 severity rating should have also drawn attention because privilege escalation flaws usually have a lower severity, she notes. These vulnerabilities generally require attackers to already be local or authenticated, which tends to knock the CVSS score down to around the high 7s. The 8.8 score, combined with the privilege escalation in Netlogon, were cause for concern. When it was reassigned a score of 10, alarm bells should have been ringing.
If CVE-2020-1472 was released today, Tills believes it would have gotten more attention. Between mid-July and mid-September, when Tervoort's research paper was published, there were 800 vulnerabilities patched in the recurring security releases from Oracle, Adobe, and Microsoft — and that's not to mention the dozens more patched outside scheduled releases, she notes in a blog post.
"We talk about overload all the time and that was just the perfect storm of it," she says. "Limited information about the vulnerability, combined with the 18 other fire alarms going on at the same time … the signal-to-noise ratio was impossible to parse, and not having the correct information made it just an unwinnable battle."
A Dangerous Bug in Dangerous Hands
Netlogon is a protocol that serves as a channel between domain controllers and machines joined to the domain, and it handles authenticating users and other services to the domain.
CVE-2020-1472 stems from a flaw in the cryptographic authentication scheme used by the Netlogon Remote Protocol. An attacker who sent Netlogon messages in which various fields are filled with zeroes could change the computer password of the domain controller that is stored in Active Directory, Tervoort explains in his white paper. This can be used to obtain domain admin credentials and then restore the original password for the domain controller, he adds.
"This attack has a huge impact: it basically allows any attacker on the local network (such as a malicious insider or someone who simply plugged in a device to an on-premises network post) to completely compromise the Windows domain," Tervoort wrote. "The attack is completely unauthenticated: the attacker does not need any user credentials."
Another reason Zerologon appeals to attackers is it can be plugged into a variety of attack chains. It's rarely the first step in an attack; the adversary can gain initial access through a phishing email or another CVE. It has been paired many times with VPN flaws, Tills notes.
Microsoft's patch for Zerologon arrived in two parts, and its updates modified how Netlogon handles the use of Netlogon secure channels. The fix enforces Secure NRPC for all Windows servers and clients in the domain, breaking step two in Tervoort's exploit process. The second phase of Microsoft's mitigation was released in February, and the company warned admins it would enable "enforcement mode" to block vulnerable connections from noncompliant devices.
Shortly after Tervoort's technical white paper was released, the timing of which he indicates was coordinated with Microsoft, proof-of-concept code began to appear around the Web. This gave businesses another reason to patch and led CISA to issue its alert and Emergency Directive.
In early October, Microsoft began to warn of APT actors abusing the Zerologon vulnerability. Iranian APT group Mercury — which historically has targeted government organizations, particularly in the Middle East — had been using the flaw in active campaigns for two weeks.
Three days later, Microsoft disclosed observations of new attack activity exploiting Zerologon, this time from Russian-speaking threat group TA505. The attack posed as software updates that connected with known TA505 command-and-control infrastructure. To exploit the flaw, TA505 abuse MSBuild[.]exe to compile Mimikatz updated with built-in Microsoft functionality.
The Flaws in Vulnerability Updates
The quick increase in attacker activity following Tervoort's white paper is not unusual, says Tills. "Typically, we do see a kind of kickoff once that researcher input comes in, but on the flip side of that coin, that's also where we see a lot of defender behavior kick in," she explains. In the technical report are details vendors typically don't provide but are valuable for businesses.
Because Zerologon's update from an 8.8 to 10.0 was only disclosed in the bug's revision history, it didn't generate widespread attention until Tervoort's report arrived a month later. At this point, organizations were scrambling as attackers were developing their exploit code. Tills argues that had Microsoft been more communicative about the score change, defenders would have had more accurate data to prioritize their patching.
While Microsoft is getting the most attention right now — the recently disclosed Print Spooler vulnerabilities faced similar issues with CVE changes — Tills notes the company is not alone in needing to be more transparent in releasing vulnerability information. While Microsoft removed executive summaries from bug disclosures late last year, eliminating information about how flaws can be targeted, it still provides a revision history for CVEs, something other vendors don't do.
"Vendors need to be more transparent in their security bulletins across the board," she notes. Having more detailed information can help defenders prioritize patches with more helpful context than a CVSS score alone.