Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

One Year Later: What Can We Learn from Zerologon?

In a year of headline-making vulnerabilities and incidents, Zerologon (CVE-2020-1472) stands out due to its widespread adoption by threat actors and its checkered disclosure timeline.

In our Threat Landscape Retrospective (TLR) published earlier this year, the Tenable Security Response Team (SRT) highlighted CVE-2020-1472, aka Zerologon, as one of the Top Five Vulnerabilities of 2020.

However, Zerologon had humble beginnings: It received limited mention in most Patch Tuesday analyses when it was initially fixed in August 2020 but, by the end of the year, Zerologon was featured in several government alerts and had been adopted by threat actors of various motivations and capabilities. Zerologon was one of the top exploited vulnerabilities of 2020, according to a recent joint cybersecurity alert from international government agencies.

If vulnerabilities had Cinderella stories, this might be one. How did this vulnerability initially get lost in the shuffle and what can security professionals learn from this to avoid any future scrambles like the one experienced at the end of summer 2020?

Priority overload: 2020’s vulnerability season

You might have blocked it from your memory, or it may have been overwritten by the many other major news cycles we’ve experienced since, but the summer of 2020 was an exhaustingly busy few months. Just in the scheduled, recurring security releases from Oracle, Microsoft and Adobe, over 800 vulnerabilities were added to prioritization queues between July 14 and September 10, 2020. But, of course, it’s never just the scheduled releases. In the months surrounding the disclosure of CVE-2020-1472 and the publication of Secura’s white paper, the Security Response Team reported on a dozen notable vulnerabilities.

July 14 CVE-2020-6287: Critical Vulnerability in SAP NetWeaver Application Server JAVA Disclosed (RECON)
July 14 CVE-2020-1350: Wormable Remote Code Execution Vulnerability in Windows DNS Server Disclosed (SIGRed)
July 14 CVE-2020-8193, CVE-2020-8195, and CVE-2020-8196: Active Exploitation of Citrix Vulnerabilities
July 22 Copy-Paste Compromises: Threat Actors Target Telerik UI, Citrix, and SharePoint Vulnerabilities (CVE-2019-18935)
July 23 CVE-2020-3452: Cisco Adaptive Security Appliance and Firepower Threat Defense Path Traversal Vulnerability
July 29 CVE-2020-10713: “BootHole” GRUB2 Bootloader Arbitrary Code Execution Vulnerability
August 10 CVE-2020-17496: Zero-Day Remote Code Execution Vulnerability in vBulletin Disclosed
August 14 CVE-2019-0230: Apache Struts Potential Remote Code Execution Vulnerability
September 1 CVE-2020-5776, CVE-2020-5777: Multiple Vulnerabilities in the MAGMI Magento Mass Import Plugin
September 1 CVE-2020-3566, CVE-2020-3569: Zero-Day Vulnerabilities in Cisco IOS XRSoftware Targeted in the Wild
September 2 CVE-2020-25213: Critical Vulnerability in File Manager WordPress Plugin Exploited in the Wild
September 10 CVE-2020-2040: Critical Buffer Overflow Vulnerability in PAN-OS Devices Disclosed

Source: Tenable, August 2021

To get a more detailed overview of the 2020 Vulnerability Season and how it fits into the larger security landscape, read the TLR.

Patch Tuesday: August 2020

So that’s everything that was happening around August Patch Tuesday. Let’s take a moment to examine that release itself. Microsoft patched 120 CVEs, breaking 100 CVEs for the sixth month in a row. Seventeen of the CVEs were rated Critical, seven as “Exploitation More Likely” and two vulnerabilities (CVE-2020-1464 and CVE-2020-1380) were under active exploitation. More than half (61) of the CVEs were Elevation of Privilege (EoP), though the actively exploited vulnerabilities received the bulk of the attention in third-party analysis of the Patch Tuesday release.

Now that we have a better understanding of the context surrounding the initial release of CVE-2020-1472, let’s examine the vulnerability itself and how its disclosure proceeded.

About CVE-2020-1472: sneaky updates cause problems

Source: Tenable, August 2021

CVE-2020-1472 is an elevation of privilege vulnerability in Microsoft's Netlogon Remote Protocol (MS-NRPC). This protocol is used to maintain relationships of domain controllers (DCs) within and across domains. Critically, MS-NRPC is also used to manage account changes for DCs, like passwords. The flaw exists because of a flaw in how MS-NRPC implements AES-CFB8 encryption. Because this is a local privilege escalation flaw, an attacker needs to be on the same local area network (LAN) as their target.

Active Directory (AD) is a target of serious concern with Zerologon. If an attacker was able to exploit it against AD, they could impersonate any machine on the network, reset the domain controller’s administrator password or launch ransomware attacks against the entire network.

Initially, CVE-2020-1472 was published with a CVSSv3 score of 8.8 and “Exploitation Less Likely” designation, according to the Microsoft Exploitability Index. TrendMicro Zero Day Initiative did point out that a critical rating for an EoP is “rare” and that might have been our first and only hint that something was up. However, two other EoP vulnerabilities in this release (CVE-2020-1509, CVE-2020-1585) also received 8.8 CVSSv3 scores. The same day of the Patch Tuesday release, Microsoft updated the CVSSv3 score for CVE-2020-1472 to 10.0 and upgraded it to “Exploitation More Likely.”

This surreptitious update is likely a major reason CVE-2020-1472 flew under the radar initially. You can see in the image below that the update on Microsoft’s Security Update Guide is listed before the information was published. Version 1.1 is listed as preceding version 1.0. Analysts and reporters jump on Patch Tuesday as quickly as possible looking for the next “big” vulnerability and likely missed this important revision.

Source: Microsoft, retrieved August 2021

It wasn’t until September, when researchers at Secura published more details about the vulnerability and gave it a name, Zerologon, that the community at large took notice. The additional information from Secura allowed analysts and researchers to understand the full scope and impact of the vulnerability. This is also where we began to see the 10.0 CVSSv3 score included in coverage. Several proofs-of-concept (PoC) were published for Zerologon that improved upon the initial test tool released by Secura. By October, news broke that advanced persistent threat actors and ransomware groups were leveraging Zerologon in attack chains.

Tom Tervoot of Secura recently spoke at Black Hat USA 2021 about his discovery of Zerologon and Microsoft’s patch. In this presentation, he alluded to the fact that the one month delay in publishing his whitepaper and testing tool was decided in agreement with Microsoft and implied it was intended to give defenders time to patch.

Coverage of CVE-2020-1472

Overall, CVE-2020-1472 wasn’t prominently featured in Patch Tuesday coverage by vendors and the media. It was mostly included as an “also patched” later in analyses. It appears much of the initial coverage for CVE-2020-1472 was driven by commentary from Trend Micro Zero Day Initiative.

Based on the information available at the time, it’s reasonable that most of us focused attention on CVE-2020-1464 and CVE-2020-1380 while basically putting a pin in CVE-2020-1472 until more information became available.

Secura didn’t offer any rationale for its delayed publication date until last week and Microsoft made no mention of the CVSS score change beyond the somewhat confusing version history of the Security Update Guide. Had accurate and complete information about Zerologon been available from the beginning, the industry would have likely sounded a louder alarm much earlier.

Takeaways

What can we learn from this situation? Can we extract useful actions to take in the future to avoid an apparent oversight?

I'd love to offer a magic, quantitative solution based on this vulnerability: if [list of factors], then exploit. Unfortunately that is not possible; this all as much an art as it is a science. Without accurate information, it's nearly impossible to predict exactly which vulnerabilities out of the thousands disclosed every year will be widely, or even narrowly exploited. Attackers are often creatures of habit but they have so many vulnerabilities from which to choose.

Publicly available PoCs are a strong indicator that a given vulnerability will be adopted by attackers because attackers are opportunistic and will happily gain value off someone else’s work. However, we've seen lately that some won't hesitate to develop zero-days if the price is right. PoCs can arrive significantly after a patch, as we've seen, and defenders waiting for a public PoC is the opposite of ideal.

One thing that we can derive from this, though it’s not groundbreaking, is the value EoP vulnerabilities may have, and a consideration for which vulnerabilities can be chained to elevate privileges or move laterally within target networks. This is not new, we’ve written about it before. Based on sources like government alerts on threat actor activity, we know that remote code execution (RCE) vulnerabilities still dominate, but Zerologon was specifically called out for being used in several campaigns, regardless of initial access methods.

From this incident we know to look out for:

    • Unpatched vulnerabilities with widely publicized PoCs
    • Ubiquitous programs/functions (a la Print Spooler)
      • Microsoft dominates the vulnerabilities used by threat groups because it is so widely deployed.
    • Elevation and lateral movement

Nothing cutting-edge here.

Unfortunately, the main action I can see here isn’t for defenders, it’s for the vendors. The primary reason for this situation was the scoring discrepancy of CVE-2020-1472 when it was initially disclosed. Had Microsoft been more communicative about the score change, defenders would have had accurate information with which to perform initial prioritization. At first analysis, based on the information provided initially by Microsoft, this appeared to be a fairly average EoP vulnerability. The surreptitious update meant that most people didn’t reexamine the advisory until a month later. The early birds got inaccurate information, unfortunately, thereby missing the metaphorical worm.

This case illustrates another side of the “coordinated disclosure” coin. Researcher blog posts, white papers, and even tweets, can provide helpful context missing from vendor advisories. They may even point out where a vendor advisory was inaccurate.

We saw a similar issue with the Print Spooler vulnerabilities this summer.

Source: Tenable, August 2021

Microsoft’s initial advisory for CVE-2021-1675 didn’t accurately describe the vulnerability, listing just an EoP when it was actually RCE. It even followed the same delayed PoC to wide scale exploitation to government alert timeline pretty closely. There were other complicating factors, but those aren’t as relevant here.

Conclusion

The lack of transparency from Microsoft in these situations is an ongoing issue, we can only speculate about how and why things transpired as they did. Confusion like this may only be more likely now that Microsoft has removed Executive Summaries from the Security Update Guides. Defenders rely on accurate, timely information from vendors in order to make effective prioritization decisions. The less information they receive or the more inaccurate it is, the harder it gets for the industry to defend from attackers.

Identifying affected systems

A list of Tenable plugins to identify this vulnerability can be found here. Tenable released a remote check plugin for Zerologon that can be used against DCs to test whether or not they’re exploitable. Please note that this plugin requires disabling the “Only use credentials provided by the user” option under Assessment Settings.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training