Security News > 2020 > September > Detecting and Preventing Critical ZeroLogon Windows Server Vulnerability
If you're administrating Windows Server, make sure it's up to date with all recent patches issued by Microsoft, especially the one that fixes a recently patched critical vulnerability that could allow unauthenticated attackers to compromise the domain controller.
Dubbed 'Zerologon' and discovered by Tom Tervoort of Secura, the privilege escalation vulnerability exists due to the insecure usage of AES-CFB8 encryption for Netlogon sessions, allowing remote attackers to establish a connection to the targeted domain controller over Netlogon Remote Protocol.
Along with Indian and Australian Government agencies, the United States Cybersecurity and Infrastructure Security Agency also issued an emergency directive instructing federal agencies to patch Zerologon flaws on Windows Servers immediately.
"The most documented artifact is Windows Event ID 4742 'A computer account was changed', often combined with Windows Event ID 4672 'Special privileges assigned to new logon'."
To let Windows Server users quickly detect related attacks, experts also released the YARA rule that can detect attacks that occurred prior to its deployment, whereas for realtime monitoring is a simple tool is also available for download. However, to completely patch the issue, users still recommend installing the latest software update from Microsoft as soon as possible.
News URL
http://feedproxy.google.com/~r/TheHackersNews/~3/3QK32a2JmQU/detecting-and-preventing-critical.html
Related news
- VMware Releases vCenter Server Update to Fix Critical RCE Vulnerability (source)
- Week in review: Windows Server 2025 gets hotpatching option, PoC for SolarWinds WHD flaw released (source)
- Critical Zimbra RCE vulnerability under mass exploitation (CVE-2024-45519) (source)
- Critical Zimbra RCE flaw exploited to backdoor servers using emails (source)
- Apple Releases Critical iOS and iPadOS Updates to Fix VoiceOver Password Vulnerability (source)
- Week in review: Critical Zimbra RCE vulnerability exploited, Patch Tuesday forecast (source)
- Microsoft fixes Remote Desktop issues caused by Windows Server update (source)
- Experts Warn of Critical Unpatched Vulnerability in Linear eMerge E3 Systems (source)
- New Critical GitLab Vulnerability Could Allow Arbitrary CI/CD Pipeline Execution (source)
- Microsoft deprecates PPTP and L2TP VPN protocols in Windows Server (source)