Feds Yell PATCH NOW over Windows AD Zerologon Vuln

CISA sent an unusual warning late last week. The federal cybersecurity agency instructed government IT departments to drop everything and patch their Windows servers.

The source of all their fears? The Zerologon vulnerability, disclosed last week. Augusts patch Tuesday fixed the bug, but its feared many organizations will have delayed installing it on their AD domain controllers.

The thing is,Zerologon rates a perfect 10 on the CVSS scale. In todays SBBlogwatch, we run and hide.

Your humble blogwatchercurated these bloggy bits for your entertainment. Not to mention:Maiden Goes To Hollywood.

Whats the craic, Zack?Mister Whittaker reportsHomeland Security issues rare emergency alert:

The Cybersecurity and Infrastructure Security Agency, better known as CISA, [is] requiring all federal departments and agencies to immediately patch any Windows servers vulnerable to the so-called Zerologon attackciting an unacceptable risk to government networks. Rated the maximum 10.0 in severity, [it] could allow an attacker to take control of any or all computers on a vulnerable network, including domain controllers.The bug was appropriately called Zerologon, because an attacker doesnt need to steal or use any network passwords to gain access to the domain controllers. With complete access to a network, an attacker could deploy malware, ransomware, or steal sensitive internal files.Although the CISA alert only applies to federal government networks, the agency said it strongly urges companies and consumers to patch their systems as soon as possible if not already.

AndDan Goodin addsAgencies that dont update must disconnect all domain controllers:

Microsoft published a patch last Tuesday. No later than 11:59pm EDT on Wednesday, agencies are to submit a completion report attesting the update has been applied to all affected servers or provide assurance that newly provisioned or previously disconnected servers will be patched.Its possible for attackers to exploit the vulnerability over the Internet [if] organizations expose their domain controllers. [Or, if they] have exposed Server Message Blockor Remote Procedure Call, [it] may be exploitable. Queries using the Binary Edge search service show that almost 30,000 domain controllers are viewable and another 1.3 million servers have RPC exposed.Zerologon is tracked as CVE-2020-1472. Further raising that stakes was the release by multiple researchers of proof-of-concept exploit code that could provide a roadmap for malicious hackers.Researchers continue to find evidence that people are actively developing attack code. Given the stakes and the amount of publicly available information about the vulnerability, it wouldnt be surprising to see in-the-wild exploits emerge in the coming days.

Feeling smug because you dont use Windows?Stop that, say Sambas Andrew Bartlett and Douglas Bagnall:

Installations running Samba asthe Active Directory DC [or] the classic/NT4-style DC [are] vulnerable. However, since version 4.8the default behaviour of Samba has been to insist on a secure netlogon channelequivalent to having server schannel = yes in the smb.conf.Versions 4.8 and above are not vulnerable unless they have the smb.conf lines server schannel = no or server schannel = auto. Samba versions 4.7 and below are vulnerable unless they have server schannel = yes. Each domain controller needs the correct settings in its smb.conf.Samba 4.10.18, 4.11.13, and 4.12.7 have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible.Our Code, Our Bugs, Our Responsibility.

Wait. Pause.?Why havent these IT people already done the job? v1 cant understand whats taking them so long:

The CVE was initially released on August 11. Funny theyre just now in a hurry to patch a severity-10 thats been out now for six weeks.Granted, it took Microsoft until last Tuesday to publish a patch, but any competent admin would have looked at that and said that goes on now and has already closed that barn door. Sure, tell the idiots to get it done immediately, then review the completion reports and fire everyone that waited until they were ordered to patch their servers, and hire competent replacements.

Butacdha reckons it aint that simple:

Youre missing the biggest reason: enterprise IT shops with strict change management processes and, especially in government, years of austerity budgets cutting resources for both sysadmins and rigorous testing.If you have a charge management process which takes a month to approve updates, the problem is not the sysadmin. If years of skimping means that the operators are afraid to patch because theyll be punished if it breaks things and they dont have a robust testing process, the problem is not the sysadmin.This is more expensive than people like to admit. You either need to accept lower security/reliability or spend more on staff, capacity, and licenses. Lots of places try to cut that corner and itll seem to work until, as Warren Buffet likes to say, the tide goes out.This is a really tricky problem in government because the pay scales can be very hard to change. Historically the higher-level positions were senior and relatively limited, so its not like you can just effortlessly bump all of your developer positions up to the highest grade without hitting budget caps. That probably means youre hiring people at lower levels which are more like entry level pay.

AndDeputy Cartmans been there done that bought the T-shirt:

Once organizations reach a certain size, they seem to instill a very very strong sense of Dont rock the boat if you dont have to mindset. You want to be proactive and apply a patch? Well what if it breaks something!? Just sit on your ***, keep looking at Tik-Tok, and counting down the days for your pension.Fix **** after the duct tape breaks, and move on with your life. Im already starting to feel this way at my defense company job due to its size. Fixing all the **** Im seeing thats pants-on-head stupid would go about as well as punching a concrete wall until my fists are hamburger.Just roll your eyes, take your time with that 8th cup of coffee, and just do what you can.

What went wrong, anyway?With a neat precis, heres tialaramex:

This is an amazing bug. What happens is, youre supposed to fill out a bunch of bytes as proof of who you are, and then a bunch of bytes that represent stuff like seconds since the start of the Unix epoch. If you cant do this, NetLogon figures you arent really who you say you are.The exploit is: Fill everything out with all zeroes. This will succeed one time in 256 on average.[It] isnt a bug in the code, its a design mistake: If you implement exactly what Microsofts design document says for NetLogon, one time in 256 all zeroes lets you in. By design. Stupid stupid design.It stands out how terrible Microsoft is at cryptographic design. Microsoft does this over and over.

IT people deserve blame too.Coppercloud dreams up the best simile:

Wait, people have domain controllers present on the public internet? Like, no firewall, port forwarded or no NAT, no VPN? Just out there?This is plugging a hole in a leaky chicken fence and hoping it floats.

Cue:the inevitable conspiracy theory. jiggawatts approaches 88 mph:

I am now convinced that Microsoft is purposefully degrading the quality of the cryptography at the behest of the NSA. Microsoft products have all of the following current cryptographic problems: There is no support for TLS 1.3. HSTS is very hit and miss. Until very recently, youd have to jump through hoops to enable TLS 1.1 and 1.2. Across a forest trust, RC4 is the default cipher. If you try to enforce AES ciphers youll break some forms of single-sign-on from Azure AD. If you use ECC certificates, youre stuck with the handful of now very thoroughly legacy curves. You cant have elliptic curve certificates with: NDES, AD FS, SQL Server, SCCM until very recently, and in fact just about every Microsoft product except for IIS. Which I remind you still cant do TLS 1.3. Azure Key Vault cant issue anything but RSA certificates from third-party CAs. The NSA does exist. They do degrade cryptographic algorithms, either through national security letters or simply bribery. The Dual_EC_DRBG fiasco happened. It really happened. Private United States based organisations do cooperate with these programs, either willingly or because they are forced to.Its one thing to accuse a neighbour randomly of murder. Its entirely another thing if you see them putting a shockingly large and heavy rolled up carpet in the boot of their car.

Meanwhile,kaur thinks a thought experiment:

Every country in the world is [asking] questions: Why do we use a consumer OS built by an US company? Can we trust USA to be our ally and not abuse its power over Microsoft? Can we trust USA to stay our ally in the forseeable future?

Maiden Goes To Hollywood

Previously in And Finally

You have been readingSBBlogwatchbyRichiJennings. Richi curates the best bloggy bits, finest forums, and weirdest websites so you dont have to. Hate mail may be directed to@RiCHiorsbbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Image sauce: Ryan McGuire (via Pixabay)