Security News > 2020 > September > Detecting and Preventing Critical ZeroLogon Windows Server Vulnerability
If you're administrating Windows Server, make sure it's up to date with all recent patches issued by Microsoft, especially the one that fixes a recently patched critical vulnerability that could allow unauthenticated attackers to compromise the domain controller.
Dubbed 'Zerologon' and discovered by Tom Tervoort of Secura, the privilege escalation vulnerability exists due to the insecure usage of AES-CFB8 encryption for Netlogon sessions, allowing remote attackers to establish a connection to the targeted domain controller over Netlogon Remote Protocol.
Along with Indian and Australian Government agencies, the United States Cybersecurity and Infrastructure Security Agency also issued an emergency directive instructing federal agencies to patch Zerologon flaws on Windows Servers immediately.
"The most documented artifact is Windows Event ID 4742 'A computer account was changed', often combined with Windows Event ID 4672 'Special privileges assigned to new logon'."
To let Windows Server users quickly detect related attacks, experts also released the YARA rule that can detect attacks that occurred prior to its deployment, whereas for realtime monitoring is a simple tool is also available for download. However, to completely patch the issue, users still recommend installing the latest software update from Microsoft as soon as possible.
News URL
http://feedproxy.google.com/~r/TheHackersNews/~3/3QK32a2JmQU/detecting-and-preventing-critical.html
Related news
- Researchers Uncover OS Downgrade Vulnerability Targeting Microsoft Windows Kernel (source)
- Patching problems: The “return” of a Windows Themes spoofing vulnerability (source)
- Hackers target critical zero-day vulnerability in PTZ cameras (source)
- Microsoft confirms Windows Server 2025 blue screen, install issues (source)
- Windows Server 2025 released—here are the new features (source)
- Cisco Releases Patch for Critical URWB Vulnerability in Industrial Wireless Systems (source)
- Critical vulnerability in Cisco industrial wireless access points fixed (CVE-2024-20418) (source)
- CISA Alerts to Active Exploitation of Critical Palo Alto Networks Vulnerability (source)
- Microsoft blames Windows Server 2025 automatic upgrades on 3rd-party tools (source)
- Microsoft fixes bugs causing Windows Server 2025 blue screens, install issues (source)