Zerologon flaw lets hackers take over the entire network

Last month Microsoft patched Zerologon – one of the most severe bugs ever reported to the company. A flaw could allow attackers to infiltrate enterprises by gaining administrative privileges, giving them access to companies’ Active Directory domain controllers. The vulnerability received 10 CVSS points, but details were never made public. Users and IT administrators never knew how dangerous the issue really was. More information can be found below.

1. Zerologon attack lets hackers take over enterprise networks in 3..2..1..

CVE-2020-1472, a privilege elevation vulnerability in the Netlogon Remote Protocol (MS-NRPC) for which Microsoft released a patch in August, has just become a huge liability for organizations that are struggling with timely patching.

CVE-2020-1472 (aka Zerologon) affects all supported Windows Server versions, but the danger is highest for servers that function as Active Directory domain controllers in enterprise networks.

The vulnerability stems from a flaw in a cryptographic authentication scheme used by the Netlogon Remote Protocol. Netlogon uses the AES algorithm in CFB8. This relies on popular IV but Microsoft engineers require it to consist of only zeros. Thus attackers have 256 tries (and they can try as many times as they want) to break in – which would last…3 seconds! 

This attack has a huge impact. It basically allows any attacker on the local network (such as a malicious insider or someone who simply plugged in a device to an on-premise network port) to completely compromise the Windows domain. The attack is completely unauthenticated: the attacker does not need any user credentials. 

Many PoC exploits have been released by security researchers during last week and the effectiveness of some of them has been confirmed. The exploit has been used in the newest version of Mimikatz. 

Secura researchers published a Python script organizations can use to check whether a domain controller is vulnerable or not.

Remediation. Systems that have received the patch released in August are safe from attack, as it enforces secure NRPC for all Windows servers and clients in the domain. All Active Directory domain controllers should be updated, including read-only domain controllers.

But complete remediation will happen after organizations deploy Domain Controller (DC) enforcement mode, which requires all Windows and non-Windows devices to use secure NRPC or to explicitly allow the account by adding an exception for any non-compliant device.

While organizations can deploy DC enforcement mode immediately by enabling specific registry keys, on February 9, 2021, DCs will be placed in enforcement mode automatically.


2. Billions of IoT devices vulnerable to the BLESA Bluetooth security flaw

Smartphones, tablets, laptops, and IoT devices… They all are vulnerable to the new Bluetooth security flaw named BLESA (Bluetooth Low Energy Spoofing Attack). The vulnerability impacts devices running the Bluetooth Low Energy (BLE) protocol. Due to its battery-saving features, BLE has been massively adopted over the past decade, becoming a near-ubiquitous technology across almost all battery-powered devices.

The new BLESA attack goes after the Bluetooth reconnection process. Unlike previous vulnerabilities –  most found in the pairing operation – the reconnection process takes place after two BLE devices (the client and server) have authenticated each other during the pairing operation. Normally, when reconnecting, the two BLE devices should check each other’s cryptographic keys negotiated during the pairing process, and reconnect and continue exchanging data via BLE.

But the Purdue research team said it found that the authentication during the device reconnection is optional instead of mandatory. Or the authentication can potentially be circumvented if the user’s device fails to enforce the IoT device to authenticate the communicated data.

BLESA attack demo

These two issues leave the door open for a BLESA attack — during which a nearby attacker bypasses reconnection verifications and sends spoofed data to a BLE device with incorrect information, and induce users and automated processes into making erroneous decisions.

Issues with fixing the flaw. Sadly, just like with all the previous Bluetooth bugs, patching all vulnerable devices will be extremely hard. Patching some devices might even not be an option. Many IoT devices don’t come with a built-in update mechanism, meaning they will remain permanently unpatched and vulnerable to the attack.


3. A new form of HTTP request smuggling affects a wide range of proxies

A new type of hack that piggybacks malicious Web requests alongside legitimate ones could be used to create a broad range of havoc in an organization. This new form of HTTP request smuggling has been dubbed “h2c smuggling”. H2c is an established protocol shorthand for HTTP/2 initiated by a HTTP/1.1 Upgrade header sent over cleartext communication. The attack occurs when a hacker uses h2c to send requests to an intermediary server (known as a proxy server), which can then evade the server access controls.

Consequences? Hackers could use it to forge internal headers and access internal network endpoints.

Who’s vulnerable to h2c smuggling? Bishop Fox – a security company who discovered this new form of attack – “found affected servers across a diverse set of clients. The vulnerability appears to have such a potentially large scope of impact because “any” proxy can be affected, including proxied endpoints such as /api/ or /payments/, which can also be affected independently of other proxied endpoints. Consumers won’t be affected directly by h2c smuggling, but unauthorized access to their data or actions taken with or to their accounts could happen. The smuggling can give attackers can gain access to users or the website – via the backend servers.

How to stop h2c smuggling attack? There are two methods so far for stopping h2c smuggling. The first involves mandating WebSocket support for HTTP/1.1 upgrade headers. The second is to disable WebSocket support altogether and disable forwarding Upgrade headers.

Bishop Fox released a tool for checking if an organization is vulnerable to h2c smuggling on proxy servers. More information can be found on their GitHub repository here


4. New BlindSide attack uses speculative execution to bypass ASLR

Researchers have developed a new technique for attacking secure computer systems by abusing speculative execution. A CPU mechanism that’s normally used for performance optimizations.

Academics from the Stevens Institute of Technology in New Jersey, ETH Zurich, and the Vrije University in Amsterdam say that BlindSide can be used to craft exploits that bypass ASLR (Address Space Layout Randomization) on modern operating systems.

Memory addresses are important for an attacker. If an attacker knows where an app executes its code inside the memory, a hacker can fine-tune exploits that attack particular applications and steal sensitive information. As its name hints, ASLR works by randomizing the location where code executes inside memory, effectively neutralizing attacks until attackers find a way around.

To bypass ASLR, an attacker typically needs to find an “information leak” type of vulnerability that leaks memory locations or probes the memory until he finds the proper location where another app runs and then modifies code to target that memory address space.

Both techniques are hard to pull off. Especially the second, which often leads to system crashes or being detected by security systems.

The BlindSide attack works by moving this probing behavior into the realm of speculative execution. The very same process that can greatly speed up CPUs can also amplify the severity of common software vulnerabilities such as memory corruption errors by introducing speculative probing

Effectively, BlindSide takes a vulnerability in a software app and exploits it over and over in the speculative execution domain, repeatedly probing the memory until the attacker bypasses ASLR.

Since this attack takes place inside the realm of speculative execution, all failed probes and crashes don’t impact the CPU or its stability as they take place and are suppressed and then discarded.

In their research, the team used a single buffer overflow on the Linux kernel.

BlindSide effectively allows attackers to “hack blind,” without needing to worry about ASLR. The attack also works regardless of architecture, so both on Intel and AMD CPUs. In addition, it works despite the recent mitigations that vendors have added against speculative execution attacks like Spectre, Meltdown, and others.


Do you have thirst for knowledge? There are ten more cybersecurity stories below

1. Magento online stores hacked in largest campaign to date (ZDNet)
2. Researcher hacked Facebook by exploiting flaws in MobileIron MDM (Hack Read)
3. New MrbMiner malware has infected thousands of MSSQL databases (ZDNet)
4. Source code of Cerberus banking Trojan leaked on underground forums (Security Affairs)
5. Google ‘formally’ bans stalkerware apps from the Play Store (ZDNet)
6. Privacy-focused search engine DuckDuckGo is growing fast (Bleeping Computer)
7. Mobile messengers expose billions of users to privacy attacks (HelpNetSecurity)
8. Purple Fox malware: What it is, how it works and how to prevent it (Infosec)
9. This security awareness training email is actually a phishing scam (Bleeping Computer)
10. Misconfigured Database Leaks 370 Million Dating Site Records (Infosecurity Magazine)