
Windows Server vulnerability requires immediate attention - ohjeez
https://www.cisa.gov/blog/2020/09/18/windows-server-vulnerability-requires-immediate-attention
======
KindOne
This has been posted on /r/sysadmin on Reddit:

[https://www.reddit.com/r/sysadmin/comments/i7yh5d/cve2020147...](https://www.reddit.com/r/sysadmin/comments/i7yh5d/cve20201472_netlogon_elevation_of_privilege/)

Twitter post explaining it:

[https://twitter.com/RyanLNewington/status/129344415164462694...](https://twitter.com/RyanLNewington/status/1293444151644626944)

Blog post explaining it:

[https://www.tenable.com/blog/cve-2020-1472-zerologon-
vulnera...](https://www.tenable.com/blog/cve-2020-1472-zerologon-
vulnerability-in-netlogon-could-allow-attackers-to-hijack-windows)

POC:

[https://infinitelogins.com/2020/09/15/abusing-
cve-2020-1472-...](https://infinitelogins.com/2020/09/15/abusing-
cve-2020-1472-zerologon/)

~~~
WalterSobchak
Whitepaper for CVE-2020-1472:
[https://www.secura.com/pathtoimg.php?id=2055](https://www.secura.com/pathtoimg.php?id=2055)
[PDF]

------
jra_samba
As this is a protocol level vulnerability, older versions of Samba were also
affected.

Security release announcement is here:

[https://www.samba.org/samba/security/CVE-2020-1472.html](https://www.samba.org/samba/security/CVE-2020-1472.html)

After a previous vulnerability we changed our defaults to require schannel for
release 4.8, which protects against the CVE-2020-1472 problem, but admins
could turn off this protection to work with older/less secure products.

Further hardening of Samba is currently taking place to protect our users from
the bug.

~~~
malwarebytess
Does this mean that any server that uses Samba, windows or not, is vulnerable?

~~~
tcmb
Looks like it, there is also a security issue released for Ubuntu:
[https://usn.ubuntu.com/4510-1/](https://usn.ubuntu.com/4510-1/)

~~~
secabeen
Only if you are running the Samba DC functionality, which is non-default.
Also, you would have needed to specifically disable the protection that was
added by Samba in 2018.

------
jimrandomh
This refers to a vulnerability that was patched in August; any systems that
are still unpatched are over a month behind. In general, most security patches
(for any software that's in use) are urgent; once a patch is out, some
adversaries are going to reverse-engineer the patch to find out what the bug
was, and mass-exploit targets that haven't patched. Any server which is that
far out of date on its patches is either in need of a sysadmin, or has a
sysadmin who's being negligent. There is no excuse.

~~~
acdha
You’re missing the biggest reason this is relevant: enterprise IT shops with
strict change management processes amd, especially in government, years of
austerity budgets cutting resources for both sysadmins and rigorous testing.

Either of the targets you mentioned are more the symptom than the root cause:
management setting up bad incentives. If you have a charge management process
which takes a month to approve updates, the problem is not the sysadmin. If
years of skimping means that the operators are afraid to patch because they’ll
be punished if it breaks things and they don’t have a robust testing process,
the problem is not the sysadmin.

~~~
taf2
I feel these organizations that have a process that prevents critical fixes
have a broken process... you either have to be ok with having your servers
compromised eg data stolen or leaking user data or you have to be ok accepting
that sometimes the engineer fixing a bug, adding a new feature might mess
something up. I am inclined to believe a bit more to the side of move fast
break things is bette than move so slow you get pwned... but sort of a
delicate balancing act...

~~~
TheAdamAndChe
I studied IT security quite a lot, and implement Windows patches for dozens of
companies. While you are technically right, Microsoft releases broken patches
_constantly_. If we pushed out every single patch the moment they were
released, we would constantly be down and fighting fires. Most small and mid-
sized companies don't have hacking campaigns run against them most times.
Given this, it just doesn't make sense to push out every single patch
immediately. Microsoft's patches are a whole lot more stable when they're a
couple months old.

~~~
reincarnate0x14
This has been a real problem again in the Windows 10 era. By around 2008,
Microsoft seemed to have finally gotten their patch process cleaned up to the
point that if you were only taking security patches, they generally installed
cleanly and mostly didn't break random things. By about 2016 this has backslid
and now Windows 10 seems intent on large scale combined updates and constant
servicing stack updates that with undocumented consequences.

It's been a giant pain having spent years trying to get organizations to
accept the need and learn to do this stuff reliably only to have the primary
source of misery (Microsoft) repeatedly start biting them in the ass again for
what should be best practices.

Meanwhile in the same timeframe most BSD and Linux releases have not only
gotten their core software updates down to a science, they've also managed to
build workflows that can include huge swathes of 3rd party open source and
commercial software, which is so hilariously awful on windows that multiple
companies build businesses around doing it.

~~~
ThrowawayR2
> " _This has been a real problem again in the Windows 10 era. By around 2008,
> Microsoft seemed to have finally gotten their patch process cleaned up to
> the point that if you were only taking security patches, they generally
> installed cleanly and mostly didn 't break random things. By about 2016 this
> has backslid and now Windows 10 seems intent on large scale combined updates
> and constant servicing stack updates that with undocumented consequences._"

Microsoft laid off all their QA staff in 2014, so it's hardly surprising. If
anything, it's a wonder that it's not much, much worse than it is now.

------
kregasaurusrex
Here's the description for CVE-2020-1472: An elevation of privilege
vulnerability exists when an attacker establishes a vulnerable Netlogon secure
channel connection to a domain controller, using the Netlogon Remote Protocol
(MS-NRPC), aka 'Netlogon Elevation of Privilege Vulnerability'.

[https://portal.msrc.microsoft.com/en-US/security-
guidance/ad...](https://portal.msrc.microsoft.com/en-US/security-
guidance/advisory/CVE-2020-1472)

~~~
tialaramex
This is an amazing bug.

So what happens is, you're supposed to fill out a bunch of bytes as proof of
who you are, and then a bunch of bytes that represent stuff like seconds since
the start of the Unix epoch. If you can't do this, NetLogon figures you aren't
really who you say you are.

And the exploit is: Fill everything out with all zeroes. This will succeed one
time in 256 on average.

The reason why is complicated and somewhat interesting, but this stupidest
possible exploit is what you get at the end of that complicated rationale.

I've written previously on HN that it stands out how _terrible_ Microsoft is
at cryptographic design. If there's an opportunity to roll your own and do it
badly, in a Microsoft product that's what you should expect. Google has good
people (it doesn't _always_ use them, but most often it does) for this stuff,
and Apple most often seems to accept that it _doesn 't_ have good people so
it'll not roll its own but just use things that already exist; but Microsoft
does this over and over.

In this particular case they took AES (seems fine) and an inappropriate but in
principle secure cipher mode (CFB8) and then they... fixed the IV as all
zeroes even though the definition of CFB is clear that you need to use a
random IV.

~~~
alister
> _This is an amazing bug. They took AES (seems fine) and an inappropriate but
> in principle secure cipher mode (CFB8) and then they fixed the IV as all
> zeroes_

A bit more detail on what happens next: "So with an all-zero IV and plaintext
plus a randomly chosen key, you will end up with an all-zero ciphertext 1 in
256 times on average. [In other words] roughly once in every 256 times the
server would randomly concoct a session key for which the correctly-encrypted
version of their all-zero ClientChallenge would itself be all zeros."[1]
Quoted from a detailed and nicely illustrated article about the bug.

[1] [https://nakedsecurity.sophos.com/2020/09/17/zerologon-
hackin...](https://nakedsecurity.sophos.com/2020/09/17/zerologon-hacking-
windows-servers-with-a-bunch-of-zeros/)

~~~
triangleman
An exploit plus 3 different poor security practices... insane.

------
galacticaactual
Script to test vulnerable domain controllers here:
[https://github.com/SecuraBV/CVE-2020-1472](https://github.com/SecuraBV/CVE-2020-1472)

------
ComodoHacker
Microsoft Advisory: [https://portal.msrc.microsoft.com/en-US/security-
guidance/ad...](https://portal.msrc.microsoft.com/en-US/security-
guidance/advisory/CVE-2020-1472)

MITRE: [https://cve.mitre.org/cgi-
bin/cvename.cgi?name=CVE-2020-1472](https://cve.mitre.org/cgi-
bin/cvename.cgi?name=CVE-2020-1472)

------
cpach
There was a patch released last Tuesday, wasn’t it?

Not so fun though for those who still are on Server 2008 though. (Yes, that is
still a thing unfortunately.)

~~~
PakG1
I'm trying to get off! It's not easy! These apps won't run on a later version
of Windows Server, they're too old! Tell my boss to give me more budget to get
things done properly! :(

~~~
vaccinator
> Tell my boss to give me more budget to get things done properly

How much would someone get for getting this done?

~~~
PakG1
Getting the app upgraded or changed to not need 2008 is the hard part. If the
app could run on a later version of Windows, this would be really easy. I'm
sure you can appreciate how difficult that might be. For custom apps, it could
be a lot of code to update. For vendor apps, that app would also probably need
to be upgraded to a newer version because the app is also end of life for some
years now. In our case, it's a vendor app. No time and money to fix this
situation, so we just keep it running and pray.

------
waihtis
Exploits for this have been floating on Github for at least a week already.
The vulnerability game has become pretty fast paced nowerdays..

------
acqq
It I see it correctly, it's about "August 2020 security update" which was
published 11 Aug 2020, more than a month ago.

~~~
MrMorden
Correct. And "government-grade security" isn't a compliment. CISA definitely
has some people who want to do the right thing, but they need budgetary
control over other agencies to make it happen. (Speaking as someone who worked
for the federal government for 15+ years, the most effective means of
persuasion would be travel and reserved parking enforcement for Senior
Executive Service members.)

CISA also doesn't have authority over DoD or IC systems, let alone the
aforementioned budgetary authority to make them do it. No, it doesn't make any
sense to apply a lesser standard to systems that are more sensitive. Like I
said, government-grade security.

~~~
tialaramex
The financial sector is also terrible.

During SHA-1 deprecation for example, almost all the trouble was with the
financial sector. The way the bogus issuance that led to discovering problem
at StartCom / WoSign was detected begins with a financial services company
that is desperately trying to get a SHA-1 certificate issued after it's too
late and finds WoSign will back date the certificate for some undisclosed
amount of money. Even some of the Symantec / Crosscert stuff comes back to the
Korean banking and financial sector, (in the district south of the river in
Seoul which we'd anglicize "Gangnam" yes that Gangnam...). And lots of "We
must have RSA kex" was the financial sector too.

You've probably got a chip card as credit card or debit card, but even though
that chip is relatively a technological heavyweight (compared to things like
your employee badge that authorises access to the shared office printer, or a
public transit card) the crypto in it is... not so hot, and the surrounding
infrastructure built by financial companies is awful.

And the chip card doesn't actually secure the thing you care about - your
money - it only secures the thing the issuer cares about, tying your
transaction to you. Actual financial transfers are done entirely on a trust
basis like it's still the 19th century, the card just presents authorization
which is optional.

~~~
vjt
what I find most frustrating is that finance institution buy extremely
overpriced and brittle software from renowned vendors not because of technical
excellence but for risk management: they want a supplier to blame when
something goes wrong.

the problem with this is that nowadays suppliers are stronger in defending
themselves from such blames than they are in writing good software.

furthermore, the software being sold is very pricey and the cost of
customising it often exceeds the cost of the software itself.

then, 9 times out of 10 the issues lie in the customisations, and that doesn’t
surprise, as the institution will be using most the custom parts as those are
the ones they need most. here the vendors have even more grip in demonstrating
that it’s the customer requirements’ fault, and not their crappy software,
that confuses the concepts of “database” and “application server”.

I try to counter this by writing solid, robust software using open source
components, giving back when possible, perfectly filling the company’s
requirements, well integrated and reasonably cheap to maintain. slowly, this
can help in abandoning vendors and building in-house know-how.

I find this crucial because the quality of software sold by some vendors is
very very low, and getting worse.

------
gjsman-1000
I've used Linux so much, I initially read the title as "Window (singular)
Server Vulnerability...", leading me to wonder what was wrong with Xorg this
time...

~~~
sk5t
Isn't Xorg technically the Xwindows client?

~~~
jacquesm
A certain Don Hopkins has written about this:

"We have tried to avoid paragraph-length footnotes in this book, but X has
defeated us by switching the meaning of client and server. In all other
client/server relationships, the server is the remote machine that runs the
application (i.e., the server provides services, such as database service or
computational service). For some perverse reason that's better left to the
imagination, X insists on calling the program running on the remote machine
"the client." "

From:

[http://www.art.net/~hopkins/Don/unix-
haters/x-windows/disast...](http://www.art.net/~hopkins/Don/unix-
haters/x-windows/disaster.html)

~~~
marcosdumay
Things are complicated when the remote computer calls your desktop. But that's
how X works.

That's also why once in a while somebody discover a completely unexpected
vulnerability on it that, although simple nobody thought about it before.
Things are so non-intuitive that it's hard even to talk about them.

Yet, somehow it works. And works quite well. I imagine the authors of that
book are quite annoyed by how Unix evolve to work really well, and still
avoided fixing any fundamental problem.

------
clouddrover
How long has this vulnerability been known but kept quiet for use in the NSA's
library of exploits? EternalBlue was based on a Windows exploit they knew
about but withheld from Microsoft so they could continue to exploit it. That
deliberate withholding of information has cost many organizations a lot of
money:

[https://www.forbes.com/sites/kalevleetaru/2019/05/25/as-
eter...](https://www.forbes.com/sites/kalevleetaru/2019/05/25/as-eternalblue-
racks-up-damages-it-reminds-us-there-is-no-such-thing-as-a-safe-cyber-weapon/)

[https://www.nytimes.com/2019/05/25/us/nsa-hacking-tool-
balti...](https://www.nytimes.com/2019/05/25/us/nsa-hacking-tool-
baltimore.html)

Is this another problem that could have been fixed a long time ago?

~~~
srtjstjsj
> Is this another problem that could have been fixed a long time ago?

Yes. The bug was documented in the public documentation, not even hidden in
the closed source code.

------
fortran77
In general, when your OS or system software (Database, Webserver, etc.) vendor
releases a patch for an exploitable vulnerability, this requires immediate
attention.

~~~
2snakes
A patch is a global vulnerability alert.

------
MattGaiser
> We have directed agencies to implement the patch across their infrastructure
> by Monday, September 21

Actually, they have until Monday.

------
Snowbirth
1472 patched here too [https://blog.0patch.com/](https://blog.0patch.com/)
[https://0patch.com/](https://0patch.com/) Great for old systems where
updating breaks stuff

------
collsni
This is from a month ago, if you patched your DCs in August you are good.

------
greesil
Sorry for my ignorance, but do Linux servers have critical vulnerabilities
like this, and as frequently?

Edit: thanks for downvoting a serious question.

~~~
resfirestar
Generally no, for many reasons. I think the most important one here is that in
a Windows server there’s a lot of software bundled together (AD services, the
SMB server, IIS, RPC stuff like this netlogon interface, WMI, RDP, many
others) that you can generally expect to find on any Windows server, giving
you a wealth of targets and potential ways to exploit how different components
interact. A base Linux system has relatively few services (just SSH in simple
distributions) so to begin targeting Linux the same way you’d have to decide
to go after RHEL or something, narrowing an already tiny share of servers down
even further. Other reasons include the dominance of Windows outside the tech
industry (which makes it a more interesting and lucrative target for
vulnerability researchers and exploit developers), lack of comparable
functionality to AD for Linux servers, and probably higher standards for code
quality and cryptography in highly scrutinized open source applications like
MIT Kerberos.

~~~
stinos
_A base Linux system has relatively few services (just SSH in simple
distributions) so to begin targeting Linux the same way you’d have to decide
to go after RHEL or something_

Not sure why it shuold be REHL, there are linux counterparts for most bundled
software you mention so a comparison against a base linux system + e.g.
samba/vnc/nginx/... still seems fair. All of those have had (sometimes severe
i.e. root escalation) vulnerabilities in the past, but answering the question
whether it's 'as frequent' is pretty hard to answer. I would also guess
towards 'no' though.

~~~
resfirestar
Yeah, there are applications that are very common, but still exploits against
them won’t be as universally applicable as Windows ones. You’re likely to find
a Linux server with either Samba or nginx or some VNC software but all at once
is less common, and there’s a lot of variety with web and VNC servers.

------
doctoboggan
Wow, the hospital my wife works at was hit with a ransomware attack today, I
wonder if this is the vector the attacker used.

~~~
resfirestar
If they had a domain controller with ports opened to the internet they would
have been hit some other way already (not to mention suffering from constant
account lockouts from random brute forcing), so this would probably not be the
initial vector. Once the exploits are more polished this will make things
easier for ransomware to escalate privileges but they already had effective
ways to get to domain admin that work on most networks.

------
GEBBL
They are slow off the mark here

------
dfv
Microsoft really can't catch a fucking break this year, can they?

~~~
giancarlostoro
Their stock has done mighty fine. Before anyone says if its down now check how
much its gone through YTD. I still feel like their stocks highly undervalued
considering where their competitors stock is at.

