Governance & Risk Management , Patch Management

Microsoft Issues Second Patch for Netlogon Vulnerability

First Patch for 'Zerologon' Flaw Had Been Issued Last August
Microsoft Issues Second Patch for Netlogon Vulnerability

Microsoft has finally pushed out the second half of the software patch for the "Zerologon" privilege escalation vulnerability in the Windows Netlogon Remote Protocol more than five months after the first half of the patch was issued (see Microsoft Issues Updated Patching Directions for 'Zerologon').

See Also: Cyber Hygiene and Asset Management Perception vs. Reality

A first phase patch for the critical vulnerability, tracked as CVE-2020-1472, was issued in August 2020.

"The first phase of the patch was intended to address the vulnerability on two fronts: blocking both Windows-based domain members and non-Windows PCs that have been configured to disable signing/encryption as well as making changes to the Netlogon protocol for clients that cannot use the required signing/encryption," says Satnam Narang, staff research engineer at the security firm Tenable.

The second patch completes the patching process for those who did not earlier implement enforcement by automatically turning on the protective measures that were included in the August 2020 patch. The second patch effectively brings all users up to the same level of security.

"Many organizations already enabled protection … but for those who did not already do so, the February OS update will enable this automatically," explains Chris Goettl, senior director of product management and security at Ivanti.

Netlogon's Risks

An exploit of the unpatched Zerologon vulnerability would give attackers the ability to move laterally once inside a network, impersonate systems, alter passwords and gain elevation of privilege via the domain controller itself, Microsoft says.

"When you consider that Zerologon led the U.S. government to issue an emergency directive to all federal agencies to promptly apply the patches for this vulnerability, you start to understand the gravity of the situation," Narang says. "With this second phase being completed today, organizations that have yet to patch Zerologon need to do so immediately."

Within weeks of Microsoft acknowledging the vulnerability and issuing the first phase of the patch, several proofs of concept for exploits of the Zerologon vulnerability were publicized, leading to several attacks against organizations that had not yet installed the initial patch. Microsoft and the U.S. Cybersecurity and Infrastructure Security Agency issued warnings in September that the vulnerability was being exploited.

Exploiting Zerologon

In October 2020, Microsoft warned its customers the nation-state hacking group it calls Mercury, which has ties to Iran, was exploiting the flaw.

Microsoft noted at the time that Mercury - also known as MuddyWater, Static Kitten and Seedworm - and other hacker groups were disguising their phishing messages as software updates to fool victims into believing they were protecting themselves when in fact they were downloading malware (see: Iranian Hackers Exploiting 'Zerologon' Flaw).

Patch Tuesday Highlights

In addition to finalizing the Netlogon patch as part of this month's Patch Tuesday, Microsoft patched 56 other vulnerabilities, with 11 rated as critical, including several zero-day vulnerabilities that are being targeted in the wild.

These include CVE-2021-1732 in the Windows Win32k, which, if exploited, could allow an attacker to elevate their privileges on a system. Exploits of the vulnerability have been detected in the wild, Goettl says.

CISA released an alert Tuesday urging organizations to implement the Win32k patch.

Microsoft also reports that CVE-2021 21148, a heap buffer overflow vulnerability in version 8 of the Chromium Open Source Software, which is used by the Microsoft Edge browser, is being exploited in the wild.

Adobe Patches Critical Flaw

In other patching news, Adobe issued a patch Tuesday for a vulnerability, CVE-2021-21017, in Adobe Acrobat and Reader.

Adobe acknowledges the heap-based buffer overflow flaw is being exploited in the wild, which could lead to arbitrary code execution by an attacker.

About the Author

Doug Olenick

Doug Olenick

Former News Editor, ISMG

Olenick has covered the cybersecurity and computer technology sectors for more than 25 years. Prior to his stint as ISMG as news editor, Olenick was online editor for SC Media, where he covered every aspect of the cybersecurity industry and managed the brand's online presence. Earlier, he worked at TWICE - This Week in Consumer Electronics - for 15 years. He also has contributed to, TheStreet and Mainstreet.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.