The U.S. Cybersecurity and Infrastructure Security Agency ( CISA ) has issued an alert to warn of attackers actively targeting a recently addressed vulnerability in the Microsoft Windows Netlogon Remote Protocol (MS-NRPC). CISA
Dubbed Zerologon, the security flaw is tracked as CVE-2020-1472 and was patched in August 2020. Earlier this month, CISA issued an Emergency Directive that required all federal agencies to install the patches within three days.
The vulnerability allows an unauthenticated attacker connected to a domain controller using Netlogon to gain domain administrator access. The attacker would need to leverage a specially crafted application running on a device on the network to successfully exploit the bug.
Samba issued patches for the bug too, and last week Microsoft revealed that it was seeing the first attempts to target the Zerologon flaw, and was quick to issue an alert on such attacks as well.
“The Cybersecurity and Infrastructure Security Agency (CISA) is aware of active exploitation of CVE-2020-1472, an elevation of privilege vulnerability in Microsoft’s Netlogon. A remote attacker can exploit this vulnerability to breach unpatched Active Directory domain controllers and obtain domain administrator access,” the agency said.
Again underlined the need to apply the available patches, as that would prevent successful exploitation, and announced the release of a patch validation script that can help organizations identify unpatched Microsoft domain controllers.
“CISA urges administrators to patch all domain controllers immediately—until every domain controller is updated, the entire infrastructure remains vulnerable,” the agency said.