Security News > 2020 > September > Detecting and Preventing Critical ZeroLogon Windows Server Vulnerability
If you're administrating Windows Server, make sure it's up to date with all recent patches issued by Microsoft, especially the one that fixes a recently patched critical vulnerability that could allow unauthenticated attackers to compromise the domain controller.
Dubbed 'Zerologon' and discovered by Tom Tervoort of Secura, the privilege escalation vulnerability exists due to the insecure usage of AES-CFB8 encryption for Netlogon sessions, allowing remote attackers to establish a connection to the targeted domain controller over Netlogon Remote Protocol.
Along with Indian and Australian Government agencies, the United States Cybersecurity and Infrastructure Security Agency also issued an emergency directive instructing federal agencies to patch Zerologon flaws on Windows Servers immediately.
"The most documented artifact is Windows Event ID 4742 'A computer account was changed', often combined with Windows Event ID 4672 'Special privileges assigned to new logon'."
To let Windows Server users quickly detect related attacks, experts also released the YARA rule that can detect attacks that occurred prior to its deployment, whereas for realtime monitoring is a simple tool is also available for download. However, to completely patch the issue, users still recommend installing the latest software update from Microsoft as soon as possible.
News URL
http://feedproxy.google.com/~r/TheHackersNews/~3/3QK32a2JmQU/detecting-and-preventing-critical.html
Related news
- Critical 'BatBadBut' Rust Vulnerability Exposes Windows Systems to Attacks (source)
- A critical vulnerability in Delinea Secret Server allows auth bypass, admin access (source)
- March 2024 Patch Tuesday: Microsoft fixes critical bugs in Windows Hyper-V (source)
- Researchers Detail Kubernetes Vulnerability That Enables Windows Node Takeover (source)
- Critical FortiClient EMS vulnerability fixed, (fake?) PoC for sale (CVE-2023-48788) (source)
- Fortra Patches Critical RCE Vulnerability in FileCatalyst Transfer Tool (source)
- PoC exploit for critical Fortra FileCatalyst MFT vulnerability released (CVE-2024-25153) (source)
- New Windows Server updates cause domain controller crashes, reboots (source)
- Ivanti Releases Urgent Fix for Critical Sentry RCE Vulnerability (source)
- Microsoft confirms Windows Server issue behind domain controller crashes (source)