Zerologon: patch now to protect against vulnerability

Nick Smith Nick Smith

A number of exploits are now available for the high-profile Microsoft vulnerability 'Zerologon' (CVE-2020-1472). Nick Smith explains why you should patch now to protect your business.

For hackers, network access is just the beginning and the goal is to escalate privileges to gain admin rights. If successfully exploited, Zerologon will enable that through a single click.

Dutch cyber security firm Secura originally identified a similar vulnerability last year, seeing potential for a man in the middle attack. Since then, the organisation has discovered a related vulnerability, publishing further details and a diagnostic tool.

How does Zerologon work?

All systems using a Windows domain have an active directory that grants permissions across the network. This is managed by a domain controller.

The Zerologon bug allows a hacker to reset the domain controller password by sending a series of netlogon messages containing zeroes, giving them full control over the active directory, and consequently, the wider network.

What are the risks of Zerologon?

An attacker needs network access to exploit the vulnerability, for example through a phishing attack or as a malicious insider.

A Zerologon attack would enable malware or ransomware to run across the network, in addition to data leakage, with implications for data protection and loss of proprietary information.

What to do now?

Microsoft released a patch in August, and has given Zerologon the highest vulnerability rating on the Common Vulnerability Scoring System.

If you haven’t updated your system as part of your ongoing patch management processes, you should run the update as soon as possible to protect your business.

For help with protecting your system against Zerologon and other cyber security risks, contact Nick Smith.