A critical Netlogon vulnerability detailed last week and patched in August by Microsoft could put operational technology (OT) networks at risk for disruption by allowing an unauthenticated attacker to gain domain-level administrator privileges.
The Netlogon service lives within Microsoft Active Directory (AD), which is used to manage domains and users, as well as authentication and authorization to network assets. Active Directory is often installed locally on an OT network or used cross-domain between IT and OT networks. Technologies such as distributed control systems (DCS), for example, may be particularly vulnerable to this bug because they often rely on AD as their main authentication repository for network credentials. Penetrating the domain controller of an industrial network could put an attacker in position to interfere with and damage business processes.
Microsoft made a patch available for CVE-2020-1472 last month, and said the patch is the first part of a phased two-part rollout. Part two of the rollout will be available in the first quarter of 2021. This vulnerability was given a CVSSv3 score of 10, the highest criticality score.
Netlogon is a remote procedure call (RPC) interface that is part of the Windows Client Authentication Architecture. Its purpose is to verify network login requests, authenticate users to domain controllers, and facilitate access to networked services. Domain controllers are common in industrial networks and often include multiple domains and domain servers.
It's highly recommended that organizations apply this patch immediately given there are several proof-of-concept exploits that have been made public, including one confirmed by a CERT/CC analyst. This privilege escalation vulnerability may also affect Samba, which is an interoperability suite standard on Linux and Unix operating systems, and is used that provides print and file services for Windows clients, either as a domain controller or domain member.
Researchers at Secura, a security services company in the Netherlands, privately disclosed the flaw—which they call Zerologon—to Microsoft and last week published a research paper and testing tool.
Zerologon is so-named because of a 0-padding flaw in the initialization vector of the AES-CFB8 cryptographic algorithm schemes used in the Netlogon NetrServerReqChallenge authentication process in the ComputeNetlogonCredential function. Once every 256 tries—or every three seconds—an eight-zero output will likely result, one that can give an attacker access to any computer in the domain.
Once the attacker is able to bypass the Netlogon authentication calls, they may use NetrServerPasswordSet2—an unsigned and unsealed function used to set new computer passwords for the client. When setting it with zeroes, it sets an empty password that could be logged on by the attacker, who would then be able to change the password. This attack is most dangerous when applying it on the domain server because it can give an attacker domain admin privileges.
Secura cautions that unpatched domain controllers can be compromised from the same local area network, and attackers could elevate privileges to admin, or impersonate any networked device authenticating to a domain controller. This vulnerability is actually an expansion of a previously discovered vulnerability—CVE-2019-1424—a security bypass flow in Netlogon that enabled remote local administrator access to domain-joined machines using a man-in-the-middle attack.
Until phase two of the patch is available next year, Microsoft recommends installing the security update released Aug. 11, which ensures the Netlogon features that are disabled by this vulnerability are mandatory for all Netlogon authentication attempts. Users may also turn on DC enforcement mode. As Microsoft explains: "DC enforcement mode is when all Netlogon connections are either required to use secure RPC or the account must have been added to the 'Domain controller: Allow vulnerable Netlogon secure channel connections' group policy."
CWE-547 USE OF HARD-CODED, SECURITY-RELEVANT CONSTANTS:
Optigo Networks Visual BACnet Capture Tool and Optigo Visual Networks Capture Tool version 3.1.2rc11 are vulnerable to an attacker impersonating the web application service and mislead victim clients.
Optigo Networks recommends users to upgrade to the following:
CVSS v3: 7.5
CWE-288 AUTHENTICATION BYPASS USING AN ALTERNATE PATH OR CHANNEL:
Optigo Networks Visual BACnet Capture Tool and Optigo Visual Networks Capture Tool version 3.1.2rc11 contain an exposed web management service that could allow an attacker to bypass authentication measures and gain controls over utilities within the products.
Optigo Networks recommends users to upgrade to the following:
CVSS v3: 9.8
CWE-547 USE OF HARD-CODED, SECURITY-RELEVANT CONSTANTS:
Optigo Networks Visual BACnet Capture Tool and Optigo Visual Networks Capture Tool version 3.1.2rc11 contain a hard coded secret key. This could allow an attacker to generate valid JWT (JSON Web Token) sessions.
Optigo Networks recommends users to upgrade to the following:
CVSS v3: 7.5
CWE-912 HIDDEN FUNCTIONALITY:
The "update" binary in the firmware of the affected product sends attempts to mount to a hard-coded, routable IP address, bypassing existing device network settings to do so. The function triggers if the 'C' button is pressed at a specific time during the boot process. If an attacker is able to control or impersonate this IP address, they could upload and overwrite files on the device.
Per FDA recommendation, CISA recommends users remove any Contec CMS8000 devices from their networks.
If asset owners cannot remove the devices from their networks, users should block 202.114.4.0/24 from their networks, or block 202.114.4.119 and 202.114.4.120.
Please note that this device may be re-labeled and sold by resellers.
Read more here: Do the CONTEC CMS8000 Patient Monitors Contain a Chinese Backdoor? The Reality is More Complicated….
CVSS v3: 7.5
CWE-295 IMPROPER CERTIFICATE VALIDATION:
The affected product is vulnerable due to failure of the update mechanism to verify the update server's certificate which could allow an attacker to alter network traffic and carry out a machine-in-the-middle attack (MITM). An attacker could modify the server's response and deliver a malicious update to the user.
Medixant recommends users download the v2025.1 or later version of their software.
CVSS v3: 5.7
