Security News > 2020 > September > Detecting and Preventing Critical ZeroLogon Windows Server Vulnerability

Detecting and Preventing Critical ZeroLogon Windows Server Vulnerability
2020-09-23 11:09

If you're administrating Windows Server, make sure it's up to date with all recent patches issued by Microsoft, especially the one that fixes a recently patched critical vulnerability that could allow unauthenticated attackers to compromise the domain controller.

Dubbed 'Zerologon' and discovered by Tom Tervoort of Secura, the privilege escalation vulnerability exists due to the insecure usage of AES-CFB8 encryption for Netlogon sessions, allowing remote attackers to establish a connection to the targeted domain controller over Netlogon Remote Protocol.

Along with Indian and Australian Government agencies, the United States Cybersecurity and Infrastructure Security Agency also issued an emergency directive instructing federal agencies to patch Zerologon flaws on Windows Servers immediately.

"The most documented artifact is Windows Event ID 4742 'A computer account was changed', often combined with Windows Event ID 4672 'Special privileges assigned to new logon'."

To let Windows Server users quickly detect related attacks, experts also released the YARA rule that can detect attacks that occurred prior to its deployment, whereas for realtime monitoring is a simple tool is also available for download. However, to completely patch the issue, users still recommend installing the latest software update from Microsoft as soon as possible.


News URL

http://feedproxy.google.com/~r/TheHackersNews/~3/3QK32a2JmQU/detecting-and-preventing-critical.html