A critical Netlogon vulnerability detailed last week and patched in August by Microsoft could put operational technology (OT) networks at risk for disruption by allowing an unauthenticated attacker to gain domain-level administrator privileges.
The Netlogon service lives within Microsoft Active Directory (AD), which is used to manage domains and users, as well as authentication and authorization to network assets. Active Directory is often installed locally on an OT network or used cross-domain between IT and OT networks. Technologies such as distributed control systems (DCS), for example, may be particularly vulnerable to this bug because they often rely on AD as their main authentication repository for network credentials. Penetrating the domain controller of an industrial network could put an attacker in position to interfere with and damage business processes.
Microsoft made a patch available for CVE-2020-1472 last month, and said the patch is the first part of a phased two-part rollout. Part two of the rollout will be available in the first quarter of 2021. This vulnerability was given a CVSSv3 score of 10, the highest criticality score.
Netlogon is a remote procedure call (RPC) interface that is part of the Windows Client Authentication Architecture. Its purpose is to verify network login requests, authenticate users to domain controllers, and facilitate access to networked services. Domain controllers are common in industrial networks and often include multiple domains and domain servers.
It's highly recommended that organizations apply this patch immediately given there are several proof-of-concept exploits that have been made public, including one confirmed by a CERT/CC analyst. This privilege escalation vulnerability may also affect Samba, which is an interoperability suite standard on Linux and Unix operating systems, and is used that provides print and file services for Windows clients, either as a domain controller or domain member.
Researchers at Secura, a security services company in the Netherlands, privately disclosed the flaw—which they call Zerologon—to Microsoft and last week published a research paper and testing tool.
Zerologon is so-named because of a 0-padding flaw in the initialization vector of the AES-CFB8 cryptographic algorithm schemes used in the Netlogon NetrServerReqChallenge authentication process in the ComputeNetlogonCredential function. Once every 256 tries—or every three seconds—an eight-zero output will likely result, one that can give an attacker access to any computer in the domain.
Once the attacker is able to bypass the Netlogon authentication calls, they may use NetrServerPasswordSet2—an unsigned and unsealed function used to set new computer passwords for the client. When setting it with zeroes, it sets an empty password that could be logged on by the attacker, who would then be able to change the password. This attack is most dangerous when applying it on the domain server because it can give an attacker domain admin privileges.
Secura cautions that unpatched domain controllers can be compromised from the same local area network, and attackers could elevate privileges to admin, or impersonate any networked device authenticating to a domain controller. This vulnerability is actually an expansion of a previously discovered vulnerability—CVE-2019-1424—a security bypass flow in Netlogon that enabled remote local administrator access to domain-joined machines using a man-in-the-middle attack.
Until phase two of the patch is available next year, Microsoft recommends installing the security update released Aug. 11, which ensures the Netlogon features that are disabled by this vulnerability are mandatory for all Netlogon authentication attempts. Users may also turn on DC enforcement mode. As Microsoft explains: "DC enforcement mode is when all Netlogon connections are either required to use secure RPC or the account must have been added to the 'Domain controller: Allow vulnerable Netlogon secure channel connections' group policy."
CWE-257: Storing Passwords in a Recoverable Format
RND encrypts passwords with a hardcoded weak secret key and returns the passwords in plaintext. If the server were compromised, an attacker could gain all the plaintext passwords and decrypt them.
No patches have been supplied by the vendor at this time. To mitigate risk, network administrators should limit access to the wireless management environments that use these affected products, allowing a limited set of trusted users and their authenticated clients to manage Ruckus infrastructure via a secure protocol such as HTTPS or SSH.
CVSS v3: 5.3
CWE-321: Use of Hard-coded Cryptographic Key
A built-in user called sshuser, with root privileges, exists on the RND platform. Both public and private ssh keys exist in the sshuser home directory. Anyone with the private key can access an RND server as sshuser.
No patches have been supplied by the vendor at this time. To mitigate risk, network administrators should limit access to the wireless management environments that use these affected products, allowing a limited set of trusted users and their authenticated clients to manage Ruckus infrastructure via a secure protocol such as HTTPS or SSH.
CVSS v3: 10.0
CWE-259: Use of Hard-coded Password
RND includes a jailed environment to allow users to configure devices without complete shell access to the underlying operating system. The jailed environment includes a built-in jailbreak for technicians to elevate privileges. The jailbreak requires a weak password that is hardcoded into the environment. Anyone with this password can access an RND server with root permissions.
No patches have been supplied by the vendor at this time. To mitigate risk, network administrators should limit access to the wireless management environments that use these affected products, allowing a limited set of trusted users and their authenticated clients to manage Ruckus infrastructure via a secure protocol such as HTTPS or SSH.
CVSS v3: 8.2
CWE-321: Use of Hard-coded Cryptographic Key
RND uses a secret key on the backend web server to ensure that session JWTs are valid. This secret key is hardcoded into the web server. Anyone with knowledge of the secret key could create a valid JWT, thus bypassing the typical authentication to access the server with administrator privileges.
No patches have been supplied by the vendor at this time. To mitigate risk, network administrators should limit access to the wireless management environments that use these affected products, allowing a limited set of trusted users and their authenticated clients to manage Ruckus infrastructure via a secure protocol such as HTTPS or SSH.
CVSS v3: 9.8
CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
An authenticated vSZ user supplies an IP address as an argument to be run in an OS command, but this IP address is not sanitized. A user could supply other commands instead of an IP address to achieve RCE.
No patches have been supplied by the vendor at this time. To mitigate risk, network administrators should limit access to the wireless management environments that use these affected products, allowing a limited set of trusted users and their authenticated clients to manage Ruckus infrastructure via a secure protocol such as HTTPS or SSH.
CVSS v3: 9.0
