Feds Yell PATCH NOW over Windows AD ‘Zerologon’ Vuln

CISA sent an unusual warning late last week. The federal cybersecurity agency instructed government IT departments to drop everything and patch their Windows servers.

The source of all their fears? The Zerologon vulnerability, disclosed last week. August’s patch Tuesday fixed the bug, but it’s feared many organizations will have delayed installing it on their AD domain controllers.

The thing is, Zerologon rates a perfect 10 on the CVSS scale. In today’s SB Blogwatch, we run and hide.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Maiden Goes To Hollywood.

Fix It or Can It

What’s the craic, Zack? Mister Whittaker reports—“Homeland Security issues rare emergency alert”:

 The Cybersecurity and Infrastructure Security Agency, better known as CISA, [is] requiring all federal departments and agencies to “immediately” patch any Windows servers vulnerable to the so-called Zerologon attack … citing an “unacceptable risk” to government networks. … Rated the maximum 10.0 in severity, [it] could allow an attacker to take control of any or all computers on a vulnerable network, including domain controllers.

The bug was appropriately called “Zerologon,” because an attacker doesn’t need to steal or use any network passwords to gain access to the domain controllers. … With complete access to a network, an attacker could deploy malware, ransomware, or steal sensitive internal files.

Although the CISA alert only applies to federal government networks, the agency said it “strongly” urges companies and consumers to patch their systems as soon as possible if not already.

And Dan Goodin adds—“Agencies that don’t update must disconnect all domain controllers”:

 Microsoft published a patch last Tuesday. … No later than 11:59pm EDT on Wednesday, agencies are to submit a completion report attesting the update has been applied to all affected servers or provide assurance that newly provisioned or previously disconnected servers will be patched.

It’s possible for attackers to exploit the vulnerability over the Internet [if] organizations expose their domain controllers. [Or, if they] have exposed Server Message Block … or Remote Procedure Call, [it] may be exploitable. … Queries using the Binary Edge search service show that almost 30,000 domain controllers are viewable and another 1.3 million servers have RPC exposed.

Zerologon is tracked as CVE-2020-1472. … Further raising that stakes was the release by multiple researchers of proof-of-concept exploit code that could provide a roadmap for malicious hackers.

Researchers continue to find evidence that people are actively developing attack code. … Given the stakes and the amount of publicly available information about the vulnerability, it wouldn’t be surprising to see in-the-wild exploits emerge in the coming days.

Feeling smug because you don’t use Windows? Stop that, say Samba’s Andrew Bartlett and Douglas Bagnall:

 Installations running Samba as … the Active Directory DC [or] the classic/NT4-style DC [are] vulnerable. However, since version 4.8 … the default behaviour of Samba has been to insist on a secure netlogon channel … equivalent to having ‘server schannel = yes’ in the smb.conf.

Versions 4.8 and above are not vulnerable unless they have the smb.conf lines ‘server schannel = no’ or ‘server schannel = auto’. Samba versions 4.7 and below are vulnerable unless they have ‘server schannel = yes’. … Each domain controller needs the correct settings in its smb.conf.

Samba 4.10.18, 4.11.13, and 4.12.7 have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible.

Our Code, Our Bugs, Our Responsibility.

Wait. Pause.? Why haven’t these IT people already done the job? v1 can’t understand what’s taking them so long:

 The CVE was initially released on August 11. … Funny they’re just now in a hurry to patch a severity-10 that’s been out now for six weeks.

Granted, it took Microsoft until last Tuesday to publish a patch, but any competent admin would have looked at that and said “that goes on now” and has already closed that barn door. Sure, tell the idiots to get it done immediately, then review the “completion reports” and fire everyone that waited until they were ordered to patch their servers, and hire competent replacements.

But acdha reckons it ain’t that simple:

 You’re missing the biggest reason: … enterprise IT shops with strict change management processes and, especially in government, years of austerity budgets cutting resources for both sysadmins and rigorous testing.

If you have a charge management process which takes a month to approve updates, the problem is not the sysadmin. If years of skimping means that the operators are afraid to patch because they’ll be punished if it breaks things and they don’t have a robust testing process, the problem is not the sysadmin.

This is more expensive than people like to admit. You either need to accept lower security/reliability or spend more on staff, capacity, and licenses. Lots of places try to cut that corner and it’ll seem to work until, as Warren Buffet likes to say, the tide goes out.

This is a really tricky problem in government because the pay scales can be very hard to change. … Historically the higher-level positions were senior and relatively limited, so it’s not like you can just effortlessly bump all of your developer positions up to the highest grade without hitting budget caps. … That probably means you’re hiring people at lower levels which are more like entry level pay.

And Deputy Cartman’s been there … done that … bought the T-shirt:

 Once organizations reach a certain size, they seem to instill a very very strong sense of “Don’t rock the boat if you don’t have to” mindset. You want to be proactive and apply a patch? Well what if it breaks something!? Just sit on your ***, keep looking at Tik-Tok, and counting down the days for your pension.

Fix **** after the duct tape breaks, and move on with your life. … I’m already starting to feel this way at my defense company job due to its size. Fixing all the **** I’m seeing that’s pants-on-head stupid would go about as well as punching a concrete wall until my fists are hamburger.

Just roll your eyes, take your time with that 8th cup of coffee, and just do what you can.

What went wrong, anyway? With a neat precis, here’s tialaramex:

 This is an amazing bug. … What happens is, you’re supposed to fill out a bunch of bytes as proof of who you are, and then a bunch of bytes that represent stuff like seconds since the start of the Unix epoch. If you can’t do this, NetLogon figures you aren’t really who you say you are.

The exploit is: Fill everything out with all zeroes. This will succeed one time in 256 on average.

[It] isn’t a bug in the code, it’s a design mistake: If you implement exactly what Microsoft’s design document says for NetLogon, one time in 256 all zeroes lets you in. By design. Stupid stupid design.

It stands out how terrible Microsoft is at cryptographic design. … Microsoft does this over and over.

IT people deserve blame too. Coppercloud dreams up the best simile:

 Wait, people have domain controllers present on the public internet? Like, no firewall, port forwarded or no NAT, no VPN? Just out there?

This is plugging a hole in a leaky chicken fence and hoping it floats.

Cue: the inevitable conspiracy theory. jiggawatts approaches 88 mph:

 I am now convinced that Microsoft is purposefully degrading the quality of the cryptography at the behest of the NSA. … Microsoft products have all of the following current cryptographic problems:
– There is no support for TLS 1.3. …
– HSTS is very hit and miss. …
– Until very recently, you’d have to jump through hoops to enable TLS 1.1 and 1.2. …
– Across a forest trust, RC4 is the default cipher.
– If you try to enforce AES ciphers … you’ll break some forms of single-sign-on from Azure AD.
– If you use ECC certificates, you’re stuck with the handful of now very thoroughly legacy curves. …
– You can’t have elliptic curve certificates with: NDES, AD FS, SQL Server, SCCM until very recently, and in fact just about every Microsoft product except for IIS. Which I remind you still can’t do TLS 1.3. …
– Azure Key Vault can’t issue anything but RSA certificates from third-party CAs. …

The NSA does exist. They do degrade cryptographic algorithms, either through national security letters or simply bribery. The Dual_EC_DRBG fiasco happened. It really happened. Private United States based organisations do cooperate with these programs, either willingly or because they are forced to.

It’s one thing to accuse a neighbour randomly of murder. It’s entirely another thing if you see them putting a shockingly large and heavy rolled up carpet in the boot of their car.

Meanwhile, kaur thinks a thought experiment:

 Every country in the world is [asking] questions:
– Why do we use a consumer OS built by an US company?
– Can we trust USA to be our ally and not abuse its power over Microsoft?
– Can we trust USA to stay our ally in the forseeable future?

And Finally:

Maiden Goes To Hollywood

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Image sauce: Ryan McGuire (via Pixabay)

Featured eBook
Managing the AppSec Toolstack

Managing the AppSec Toolstack

The best cybersecurity defense is always applied in layers—if one line of defense fails, the next should be able to thwart an attack, and so on. Now that DevOps teams are taking  more responsibility for application security by embracing DevSecOps processes, that same philosophy applies to security controls. The challenge many organizations are facing now ... Read More
Security Boulevard

Richi Jennings

Richi is a foolish independent industry analyst, editor, writer, and fan of the Oxford comma. He’s previously written or edited for Computerworld, Petri, Microsoft, HP, Cyren, Webroot, Micro Focus, Osterman Research, Ferris Research, NetApp on Forbes and CIO.com. His work has won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 191 posts and counting.See all posts by richi