Security News > 2020 > September > Detecting and Preventing Critical ZeroLogon Windows Server Vulnerability
If you're administrating Windows Server, make sure it's up to date with all recent patches issued by Microsoft, especially the one that fixes a recently patched critical vulnerability that could allow unauthenticated attackers to compromise the domain controller.
Dubbed 'Zerologon' and discovered by Tom Tervoort of Secura, the privilege escalation vulnerability exists due to the insecure usage of AES-CFB8 encryption for Netlogon sessions, allowing remote attackers to establish a connection to the targeted domain controller over Netlogon Remote Protocol.
Along with Indian and Australian Government agencies, the United States Cybersecurity and Infrastructure Security Agency also issued an emergency directive instructing federal agencies to patch Zerologon flaws on Windows Servers immediately.
"The most documented artifact is Windows Event ID 4742 'A computer account was changed', often combined with Windows Event ID 4672 'Special privileges assigned to new logon'."
To let Windows Server users quickly detect related attacks, experts also released the YARA rule that can detect attacks that occurred prior to its deployment, whereas for realtime monitoring is a simple tool is also available for download. However, to completely patch the issue, users still recommend installing the latest software update from Microsoft as soon as possible.
News URL
http://feedproxy.google.com/~r/TheHackersNews/~3/3QK32a2JmQU/detecting-and-preventing-critical.html
Related news
- VMware Releases vCenter Server Update to Fix Critical RCE Vulnerability (source)
- Critical VMware vCenter Server bugs fixed (CVE-2024-38812) (source)
- Critical Ivanti Cloud Appliance Vulnerability Exploited in Active Cyberattacks (source)
- Windows Server 2025 previews security updates without restarts (source)
- Microsoft ends development of Windows Server Update Services (WSUS) (source)
- Week in review: Critical VMware vCenter Server bugs fixed, Apple releases iOS 18 (source)
- Windows Server 2025 gets hotpatching option, without reboots (source)
- CISA Flags Critical Ivanti vTM Vulnerability Amid Active Exploitation Concerns (source)
- PoC for critical SolarWinds Web Help Desk vulnerability released (CVE-2024-28987) (source)
- Critical NVIDIA Container Toolkit Vulnerability Could Grant Full Host Access to Attackers (source)