back to article You know that Microsoft ZeroLogon bug you've been dragging your feet on? It's getting pwned in the wild now

The rather concerning design flaw in Microsoft's netlogon protocol is being exploited in the wild by miscreants, the Windows giant's security team has warned. The mega-biz today confirmed it is seeing active attacks abusing the CVE-2020-1472 vulnerability, aka ZeroLogon, which can be exploited to bypass authentication and gain …

  1. bigfoot780

    Time

    So you need to monitor your DCs for events from legacy clients. But you need to do this for 30 days to catch any computer password resets. If the August patches didn't reach your DCs until late August as Microsoft like breaking things (Server 2016 and security options in secpol this month). You still need to wait to turn on enforcement mode or exclude some computers.

    1. Anonymous Coward
      Anonymous Coward

      Re: Time

      To be fair this was all explained when the patch was released.

      We have been impacted, we cannot patch these (no extended support) so we went for a third party micro patching solution until we can replace our legacy servers in a few weeks.

      This honestly isn't a blame MS situation.

      1. FILE_ID.DIZ

        Re: Time

        I'm confused here.

        Based on my reading, the vulnerability is with the domain controller exclusively. Now, I get that there may be no-longer supported servers, but that'd be for 2008 or older... which is pretty old.

        There appears to be no patches for client OSs listed in the Microsoft CVE. So, who is hanging domain controllers off the internet?

        Well, the only acceptable instance that I know of is kdcproxy.... which does have me wondering if that is at risk. The CVE doesn't mention it.

  2. Anonymous South African Coward Silver badge

    Micros~1.sht going down? And a Linux SAMBA DC server is not safe either, you also need to ensure you have the correct configuration, it is also exploitable without the correct configuration.

    So.

    I can see that crypto-malware ne'er-do-wells can use this to ensure their crypto-malware will be able to run with highest privileges and encrypt *.* on the entire network...

    1. Jeremy Allison

      Not completely true about Samba AD-DC.

      If you're running a post Samba 4.8 server you're safe, even though the proof of concept code reports it as vulnerable (the PoC code only tries the logon, it doesn't actually try any of the activities that the default Samba setting of schannel required prohibits). Better to be safe though and upgrade to the version that removes the false positive from the PoC code.

      More details here:

      https://www.samba.org/samba/security/CVE-2020-1472.html

  3. Andy The Hat Silver badge

    And the US State Department spokeperson spaketh saying ...

    This was obviously a built in design flaw to allow back door access by the anti-US Chinese state snoops to gain cont...

    <puts finger to earpiece ...>

    err what?

    Microsoft are American?

    Are you sure?

    Ehem. Thankyou for coming everyone. It was a simple programming error. What silly billies they are! Nothing to see here ...

  4. Piro Silver badge

    Pretty sure nobody that reads El Reg would have been dragging their feet on this one.

  5. sitta_europea

    For the moment I've just had to firewall some of Microsoft's IP block. Seems they're spewing nothing but viruses.

    Chain temporary_tarpit (1 references)

    num pkts bytes target prot opt in out source destination

    1 1270 59944 DROP tcp -- * * 40.92.255.0/24 0.0.0.0/0

    2 1120 52480 DROP tcp -- * * 40.92.254.0/24 0.0.0.0/0

    3 1190 56168 DROP tcp -- * * 40.92.253.0/24 0.0.0.0/0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

Biting the hand that feeds IT © 1998–2022