[CITL] Security Alert from UCR Info Sec Office: Zerologon Vulnerability (CVE-2020-1472)

Dewight F Kramer dewight.kramer at ucr.edu
Fri Sep 25 17:04:33 PDT 2020 

DATE: September 25, 2020

Summary:
The CVE-2020-1472 (Netlogon/Zerologon) vulnerability has a high-risk rating and should be remediated via patching the servers promptly, or units should seek a Security Policy Exception with the Information Security Office.


Details:
The Information Security Office discussed the Zerologon Vulnerability (CVE-2020-1472) in today’s Friday 15, but due to the severity of the vulnerability and the fact that there are Domain Controllers that the CITL manage the ISO is sending out this warning as well.

The Zerologon vulnerability allows an attacker to compromise Windows Active Directory domain controllers and grant themselves administrative privileges using Netlogon functionality. This creates a threat for any unpatched domain controller.
An unauthenticated attacker only requires network access to exploit a vulnerable domain controller (DC). This is a critical vulnerability that received a CVSS of 10.0 (highest score) from Microsoft.

With this information, ISO has concluded the following:
Threat: High – Multiple versions of the exploit code are available to attackers, and vulnerable domain controllers are actively being exploited.
Vulnerability: High – Due to the CVSS of 10.0.
Impact: High – A successful attack would grant the attacker administrative privileges on a DC.

When the threat, vulnerability and impact are rated High, the Risk Rating is High by using ISO’s risk calculus. There are no mitigating controls or workarounds. The only remediation is to patch all DCs. Therefore, the DCs that are vulnerable to this attack should be remediated promptly.
If you’d like more information regarding this vulnerability, please reach out to the Information Security Office at infosecoffice at ucr.edu<mailto:infosecoffice at ucr.edu>.

If it is not possible to patch these systems promptly, a Security Policy Exception should be obtained.  Although this process is being updated to better track it, currently the CISO would need to guide individuals through the process. The Unit head (Dean or VC) would need to sign off on the exception, and there is a possibility that the CRE would also need to sign off on the exception.


For more information, see: https://www.csoonline.com/article/3576193/what-is-zerologon-why-you-should-patch-this-critical-windows-server-flaw-now.html

Here is a video that explains technical details: https://nakedsecurity.sophos.com/2020/09/21/naked-security-live-the-zerologon-hole-are-you-at-risk/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+nakedsecurity+%28Naked+Security+-+Sophos%29

For more technical information, see https://www.secura.com/blog/zero-logon.


Dewight Fredrick Kramer
Chief Information Security Officer
Information Technology Solutions
University of California, Riverside
•  (951) 827-3070| • dewight.kramer at ucr.edu<mailto:dewight.kramer at ucr.edu>
[signature_2034439392]



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ucr.edu/pipermail/citl/attachments/20200926/c9c226f6/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 4409329 bytes
Desc: image001.png
URL: <https://lists.ucr.edu/pipermail/citl/attachments/20200926/c9c226f6/attachment.png>

More information about the CITL mailing list