The US’s Department of Homeland Security (DHS) recently issued a security warning to all government agencies regarding a security exploit found within Microsoft’s Window OS. According to the department’s Cybersecurity and Infrastructure Security Agency (CISA), the warning concerns an exploit known as Zerologon.
Apparently, Zerologon affects Windows’ domain controllers and, if used accordingly by hackers, would enable insidious parties to escalate privileges within a system and, in turn, gain access to other systems and files. It does this by reportedly taking advantage of the Windows Server Netlogon Remote protocol and authentication. In order to record session data of the affected user.
We just released an Emergency Directive concerning a critical vulnerability affecting Microsoft Windows servers: https://t.co/HfJst2C0QL. This directive instructs Federal Civilian Executive Branch agencies to take action on this vulnerability. #InfoSec #InfoSecurity 1/2
— Cybersecurity and Infrastructure Security Agency (@CISAgov) September 19, 2020
To be clear, Microsoft had been informed about Zerologon back in August and even released a patch to alleviate the flaw specifically for its Windows Server OS. Despite this, CISA is clearly not taking any further chances with the exploit, which explains why it issued the emergency directive in the first place.
To that end, the emergency directive will require all agencies to either update all Windows Servers with the domain controller role, or to simply “pull un-updatable systems from the network. It’s an extreme reaction from a government agency, but at the same time, it can also be argued that you wouldn’t want to find yourself on the receiving end of an exploit with the higher severity rating on the Common Vulnerability Scoring System (CVSS).