You know that Microsoft ZeroLogon bug you've been dragging your feet on? It's getting pwned in the wild now The rather concerning design flaw in Microsoft's netlogon protocol is being exploited in the wild by miscreants, the Windows giant's security team has warned. The mega-biz today confirmed it is seeing active attacks abusing the CVE-2020-1472 vulnerability, aka ZeroLogon, which can be exploited to bypass authentication and gain …
So you need to monitor your DCs for events from legacy clients. But you need to do this for 30 days to catch any computer password resets. If the August patches didn't reach your DCs until late August as Microsoft like breaking things (Server 2016 and security options in secpol this month). You still need to wait to turn on enforcement mode or exclude some computers.
I'm confused here.
Based on my reading, the vulnerability is with the domain controller exclusively. Now, I get that there may be no-longer supported servers, but that'd be for 2008 or older... which is pretty old.
There appears to be no patches for client OSs listed in the Microsoft CVE. So, who is hanging domain controllers off the internet?
Well, the only acceptable instance that I know of is kdcproxy.... which does have me wondering if that is at risk. The CVE doesn't mention it.
Micros~1.sht going down? And a Linux SAMBA DC server is not safe either, you also need to ensure you have the correct configuration, it is also exploitable without the correct configuration.
So.
I can see that crypto-malware ne'er-do-wells can use this to ensure their crypto-malware will be able to run with highest privileges and encrypt *.* on the entire network...
If you're running a post Samba 4.8 server you're safe, even though the proof of concept code reports it as vulnerable (the PoC code only tries the logon, it doesn't actually try any of the activities that the default Samba setting of schannel required prohibits). Better to be safe though and upgrade to the version that removes the false positive from the PoC code.
More details here:
https://www.samba.org/samba/security/CVE-2020-1472.html
This was obviously a built in design flaw to allow back door access by the anti-US Chinese state snoops to gain cont...
<puts finger to earpiece ...>
err what?
Microsoft are American?
Are you sure?
Ehem. Thankyou for coming everyone. It was a simple programming error. What silly billies they are! Nothing to see here ...
For the moment I've just had to firewall some of Microsoft's IP block. Seems they're spewing nothing but viruses.
Chain temporary_tarpit (1 references)
num pkts bytes target prot opt in out source destination
1 1270 59944 DROP tcp -- * * 40.92.255.0/24 0.0.0.0/0
2 1120 52480 DROP tcp -- * * 40.92.254.0/24 0.0.0.0/0
3 1190 56168 DROP tcp -- * * 40.92.253.0/24 0.0.0.0/0
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2023
