Remember back in August how I wrote about how “There is nothing near as severe as we got from Sigred”? Well, it turns out this was not entirely accurate. You see, there was a patch (CVE-2020-1472) included that, based on the title, made it seem like it was not a massive deal. I didn't even have it in my Lowlights section. It turns out that we all missed something significant here. Secura released a blog covering exactly what that bug means, and it is pretty damn bad. So let’s take a look at why ZeroLogon is rated a 10/10 by the CVSS. You can watch our accompanying video to this blog post here or keep reading below.
All an attacker would need is the ability to set up a TCP connection (HTTPS, SMTP, FTP, or SSH), and they can take over your environment. They do not even need any domain credentials. Using a flaw in a cryptographic protocol used to prove the authenticity of a domain-joined computer, they are able to spoof the identity of any machine, including a Domain Controller, and set a blank password. A hacker could completely take over your domain in seconds.
Luckily, this was patched in August, a full month before Secura released the white papers on this. If you are keeping your environment patched, you are fine. If you are behind, then it just became EXTREMELY critical that you patch now. This exploit is now known to the public, the risk for systems that are out of date just went through the roof. Are you patched and still feeling skittish about how things stand? I feel you, and luckily Securas work with this has been top-notch, and they even included a tool that will allow you to test your environment to make sure you are secure. If we are going to learn anything from this, it is that even when things don’t look super bad on the surface, it is probably best to maintain your vigilance in keeping everything patched.