How to Remediate Federal Systems with Zerologon Vulnerability
By Egon Rinderer, Global Vice President of Technology & Federal CTO, Tanium
In September, the Cybersecurity and Infrastructure Security Agency (CISA) released a notice stating the Zerologon vulnerability poses an “unacceptable risk” to the federal civilian executive branch, and required that all federal agencies “immediately apply the Windows Server August 2020 security update” or disconnect from federal networks. Zerologon is perhaps one of the most significant vulnerabilities to hit in a long time.
Back in August, Microsoft released the software update Netlogon EoP – or zerologon – to mitigate a critical vulnerability in the Windows Netlogon Remote Protocol server interface. Netlogon allows devices to authenticate to the domain controller (DC) and update their password in the Active Directory (AD). Netlogon is designed for specific tasks like maintaining relationships between members of domains and the DC, or between many DCs across one or many domains, and replicating the DC database. At the time of the update, this was only the first update in a phased rollout expected to conclude February 2021.
Federal systems go through routine patches and software updates. These fix and improve security vulnerabilities and other bugs cybercriminals might use to gain unauthorized access to a user’s device and sensitive data. Software vendors release critical patches with the intent of protecting the organizations and users leveraging the software. But, sometimes while the patch may safeguard against the latest threat, it can also unintentionally create other issues across the network. Ideally, organizations have a test environment where they can first deploy the patch and measure the effectiveness as well as any issues it might cause (e.g., if a mission critical tool or function is unavailable). But, test environments aren’t always identical to the production environment, and some organizations may not have one at all.
While not identical, the impact of this latest patch is reminiscent of the fallout from the Microsoft patch for Meltdown (CVE-2017-5754). Distribution of the patch was altogether halted at one point due to the issues it caused for some machines (e.g., failure to boot). What’s unique about the patch for zerologon, however, is that Microsoft knew prior to release that there would be compatibility issues, which explains the complexity in the response and guidance—phased implementation, partial enforcement now and more coming later, an option to go to full enforcement sooner, new logged events to tell you when those compatibility issues are happening, and a GPO to exempt specific systems from the new restriction.
These patch complexities can leave some networks and users in a precarious position. With the patch comes certain compatibility issues, but without the patch, hackers can use this vulnerability to create easy-to-use exploits. This vulnerability allows attackers to impersonate any computer to the DC in the agency network and change their password – all while going unnoticed by IT teams. Hackers can also execute remote procedure calls on their behalf to gain access to corporate networks.
In the case of zerologon, since an agency’s active directory rarely, if ever, gets completely rebuilt or replaced over time, a skilled cybercriminal could quietly establish long-term, full administrative persistence inside the entire network and remain unnoticed. Further, agencies underestimate its impact because it ‘only affects DCs.’ But the problem is agencies often have far more DCs than they think – and those DCs are spread all over the globe. Control of any DC grants the ability to do anything they want on any member machine in the AD forest, including hide persistence on them.
Roadblocks to Closing the Vulnerability
Zerologon isn’t something you can just patch and forget. Remediation requires several steps and repeated validation. Further, tactics by bad actors are evolving daily – so it is more critical than ever to routinely update systems to prevent breaches.
The solution is not as simple as shutting the insecure channels of communications, as this can potentially break other applications and platforms. It is very difficult to determine the impact without rigorous testing.
The exploit depends on signing and encryption being optional. When the protocol’s less-secure option is unavailable, the exploit no longer works. The patch brings a subtle change to the Netlogon protocol that breaks the “all-zeroes” exploit technique. This means that even when you can’t require signing/encryption, successful exploitation of the protocol’s weakness is now mathematically many orders of magnitude more difficult than it was (That’s good news!).
After patching DCs, you should determine whether any authorized computers are being blocked or will be blocked in full-enforcement mode (what MS refers to as “Phase II”), so that they can be updated, retired, or exempted with the new group policy setting.
Further, DCs often receive patches later than other systems in the agency network because of a “don’t rock the boat” mentality. Having the DCs updated and stable is critical – and this means patches and security updates are approached with hesitation. The bottom line? This vulnerability exposes the keys to the kingdom – and it is absolutely critical that agencies understand it and take it seriously.
Zerologon patches are only available for versions of Windows that are still supported and receive security updates. But in practice, many networks have legacy Windows devices or non-Windows devices that communicate with DCs using the protocol. Federal IT teams who have the patch should utilize the Microsoft guidance:
- Deploy the August 11, 2020 updates to all applicable DCs in the forest including read-only DCs
- Collect events in DC event logs to determine which devices in the environment are using vulnerable Netlogon secure channel connections
- Address Netlogon event IDs 5827 and 5828, indicating non-compliant machines that are being blocked now, and event ID 5829 indicating noncompliant machines that will be blocked when full enforcement is applied
- Move to enforcement mode in advance of the February 9, 2021 enforcement phase
- Deploy February 9, 2021 updates
Agencies that use Microsoft Windows are better served by taking a holistic risk management approach, using complete, accurate, and real-time data from a single source to reduce risk and improve security. In doing so, they can also reduce the number of point products, reallocate budget and scarce resources, and justify future budget requests for critical security activities – all while providing a more comprehensive view of the security landscape that enables more strategic business decisions.
Leveraging a single platform that integrates endpoint management and security unifies teams, effectively breaking down the data silos and closing the accountability, visibility, and resilience gaps that often exist between IT operations and security teams.
A platform approach also gives agencies end-to-end visibility across end users, DCs, servers, and cloud endpoints, and the ability to identify assets, protect systems, detect threats, respond to attacks, and recover at scale. When agencies achieve complete visibility and control, the risk from cyberattacks is significantly reduced and their ability to make good business decisions is improved.
At this stage, agencies that use the Netlogon server are aware of the vulnerability and the risk it brings. IT teams must prioritize standard checks for patches and routinely complete vulnerability assessments to analyze and determine the current level of risk.
About the Author
Egon Rinderer is the Global Vice President of Technology and Federal CTO at Tanium. With 30 years of Federal and private sector industry experience, Egon currently leads the global Enterprise Services Organization as well as leading Tanium Federal as Chief Technology Officer. Joining Tanium at a time when the company was made up of less than 20 employees, he has held roles ranging from Technical Account Manager to Federal Pod Lead to global Vice President of the TAM organization. Prior to joining Tanium, Egon was with Intel Corporation and served throughout the US military and intelligence community in the United States and abroad in an operational capacity. Egon can be reached at firstname.lastname@example.org, online at https://www.linkedin.com/in/egon-rinderer/, or at our company website at https://www.tanium.com/solutions/federal-government/