More patches released to address Zerologon bug in systems not compatible with Microsoft's fix

The Zerologon micropatch is 'primarily targeted at Windows Server 2008 R2 users without Extended Security Updates'

Samba and 0patch have released their own micropatches to address the Zerologon security vulnerability in systems that are not compatible with Microsoft's recent patch.

Last week, cyber security firm 0patch said that it was releasing a "micropatch" for the critical bug. Not all systems are compatible with Microsoft's fix, which it released in August.

0patch said that its micropatch is logically identical to Microsoft's fix and 'primarily targeted at Windows Server 2008 R2 users without Extended Security Updates'.

"We injected it in function NetrServerAuthenticate3 in roughly the same place where Microsoft added the call to NlIsChallengeCredentialPairVulnerable, but since the latter doesn't exist in old versions of netlogon.dll, we had to implement its logic in our patch," the company said in a blog post.

This micropatch is available to all 0patch users with a Pro license, the company added.

Meanwhile, Samba, a file-sharing utility that enables Windows, Linux and Mac to communicate with one another, has also released its own Zerologon patch. The Samba utility uses the Netlogon protocol and therefore suffers from the vulnerability.

In an advisory, the company said that vulnerability exists only when Samba is used as domain controller.

"Installations running Samba as a file server only are not directly affected by this flaw, though they may need configuration changes to continue to talk to domain controllers," Samba added.

In addition, the company explained that versions 4.8 and above are not vulnerable unless they have the smb.conf lines 'server schannel = no' or 'server schannel = auto'.

Zerologon, indexed as CVE-2020-1472, is a critical elevation of privilege bug that an attacker with a foothold on the local network could leverage to instantly become a Domain Admin, and gain access to an organisation's Active Directory domain controllers.

The bug was discovered by Tom Tervoort, a security expert at Secura, who reported it to Microsoft and published a detailed post earlier this month to reveal the full impact of the bug.

According to Tervoort, Zerologon arises due to a flaw in the cryptographic algorithm in Netlogon Remote Protocol (MS-NRPC), which is available on Windows domain controllers and used to authenticate users and machines.

To exploit the bug, an attacker must already have a foothold inside a targeted network. From there, they can send a string of zeros in a series of messages using the Netlogon protocol to fill various fields. This enables them to modify the Active Directory-stored password of a Domain Controller.

After exploiting the bug, the attacker can run a specially crafted application on a device on the network.

The vulnerability received the full score of 10 out of 10 on Common Vulnerability Scoring System (CVSS) rating.

Microsoft released a fix for Zerologon in August, saying that it would address the bug in a phased two-part rollout.

Last Friday, the US Cybersecurity and Infrastructure Security Agency (CISA) released an emergency directive instructing all federal agencies to 'apply the Windows Server August 2020 security update to all domain controllers' by the end of Monday, 21st September.

According to CISA, the flaw poses 'an unacceptable risk to the Federal Civilian Executive Branch and requires an immediate and emergency action.'

'If affected domain controllers cannot be updated, ensure they are removed from the network,' CISA advised.