This week, Microsoft issued a notice to organisations that a software update on February 9 would kick off the second step of patching for the Zerologon vulnerability.
The crucial vulnerability was found in the Microsoft Windows Netlogon Remote Protocol (MS-NRPC) tracked as CVE-2020-1472 and discussed on August 2020 Patch Tuesday, and can be exploited to compromise Active Directory domain controllers and obtain admin access.
The vulnerability came into the spotlight in September, after the Department of Homeland Security (DHS) told federal agencies to urgently submit patches for it, exploitable by unauthenticated attackers willing to run a specially designed programme on a computer on the network.
Soon after, attacks exploiting the flaw were detected, and Microsoft offered advice on how organisations should protect bug-affected programmes. However, attacks against Zerologon continued.
Microsoft notified customers that the patching for this flaw will take place in two phases: the August 11 patch deployment and an enforcement process expected to begin on February 9, 2021.
The corporation now reminds organisations of the imminent transition to the compliance point, which will kick off on Patch Tuesday in February 2021.
We remind our customers that we will allow Domain Controller compliance mode by default from the February 9, 2021 Security Upgrade release onwards. This, states Microsoft, would block insecure links from non-compliant users.
Both Windows and non-Windows devices would have to use Netlogon Secure Channel Safe RPC with the DC compliance mode allowed. Customers would, however, have the ability to include non-compliant system exceptions, even though it would leave their accounts insecure.
Organizations should submit the available patch to all domain controllers in readiness for the compliance mode process and should locate and address non-compliant devices to ensure they do not make insecure connections.
They will also allow the Domain Controller compliance mode in their environments prior to the February 9 update.
Tenable finds Zerologon the highest vulnerability of last year, out of 18,358 recorded CVEs, in a survey covering the 2020 threat environment.