The Cybersecurity and Infrastructure Security Agency (CISA), a subdivision of the Department of Homeland Security, has detected a criticism for Microsoft Netlogin Remote Protocol (MS-RPC). The government cybersecurity organization has also issued an emergency directive for IT personnel employed by the federal government in response to the vulnerability. The problem has been classified as severe, according to Forbes magazine. The vulnerability to an attack already present on the network controls a Windows Server Active Directory domain.
What does it mean?
The vulnerability has the potential to give attackers the ability to gain administrator status in the system. According to CISA, the vulnerability is easy enough to exploit. They alert IT teams in most medium and large organizations, especially those within government, who should assume their networks have already been accessed using it. The Department of Homeland Security has named the vulnerability “Zerologon,” and its security directive is addressing it has been classified as “serious” with a severity score of CVE-2020-1472, which is relatively high. Its name is derived from the fact that an attacker only needs to use a carefully placed string of zeros using the Netlogon protocol to bypass connection security measures and be logged in as an authorized user. Attackers should only obtain a connection to a domain controller for any system that has not yet been patched. The attacker will not need any authentication code to elevate his privileges to the maximum level, becoming, as Forbes puts it, “Instant admin”.
The emergency directive, named “20-04” and issued by CISA, directs all federal agencies to immediately apply the patch to remove the vulnerability, which the agency said was an “unacceptable risk.” The warning was originally sent to federal agencies on September 19 of this year, and it only gave them two days to apply the update or violate this mandatory order. The bad news is, if you’re learning about it for the first time now, then you’re more than a week behind the curve.
For small and medium-sized businesses, you may be reassured to know that your data will not be targeted as much as that of federal institutions. Nonetheless, any organization that hopes to protect customer information is strongly encouraged to apply the August 2020 Microsoft security update. The code has already shown attackers an easy way to attack systems that have not received the fix. Probably the most vulnerable non-governmental institutions are banks and colleges. Do not take this threat lightly, the automation of this loophole by criminal groups will put the operations of several thousand small and medium-sized businesses into the near future.
What to do now?
The good news is that the vulnerability has been fully addressed in the August 2020 Microsoft security update. Organizations that have not yet applied the August 2020 update to Windows Server machines that serve a domain role are encouraged to run all appropriate tests and install the update as soon as possible. Vulnerabilities severe enough for the federal government to issue emergency directives occur at least three times a year on average. The last time an emergency directive like this was issued was in July 2020. On this occasion, federal agencies had only 24 hours to apply the available fix. This one gave them an entire weekend, which probably indicates that July’s feat was more serious. However, all business owners are strongly advised to have their IT staff test their networks and apply the August 2020 Microsoft security patch as soon as possible.