The Cybersecurity and Infrastructure Security Agency (CISA), part of the US Department of Homeland Security, issued an Emergency Directive on September 18, 2020, ordering all servers with a domain controller role in the Federal Civilian Executive Branch to be patched or disconnected from the network within three days. The alert also strongly encourages other organizations, including state and local governments, infrastructure, and other non-government organizations to apply the patch.
The issue that triggered this unusual emergency action is a privilege escalation vulnerability in Microsoft Netlogon Remote Protocol, a core authentication component of Active Directory. This is a very severe vulnerability, since it allows a hacker to obtain domain administrator privileges by spoofing the machine account of a Domain Controller. As such, an attacker could compromise all Active Directory identity services.
The vulnerability has been confirmed – proof-of-concept code is publicly available.
According to the notice, the CISA determined emergency action was required because:
- The exploit code is available “in the wild,” increasing the likelihood that any unpatched domain controller might be being exploited
- Affected domain controllers are commonly found across federal agencies
- There is strong potential that agency information systems might be compromised
- A successful compromise is likely to have serious impact
- The vulnerability continued to be widespread over 30 days after the update was released.
In Microsoft’s instructions for fixing the problem, they note that it’s not enough to simply install the patch. Non-compliant devices making vulnerable connections must be found and addressed, and enforcement mode must be enabled for the patch.
This severe vulnerability highlights the need to implement strict least-privilege access requirements for all accounts, including (or maybe, especially) administrator accounts. There will always be new vulnerabilities that arise. There will always be points in time at which a malicious party could exploit a vulnerability and hack into your system, either before a patch is developed or before it is installed.
Because even organizations managed by the most responsible, active infosec teams imaginable are vulnerable to zero-day attacks, one of the most important ways to protect against these threats is to minimize the damage they can do if they do get inside. Least privilege access controls accomplish just that.
Ericom Application Isolator (EAI) enables organizations to implement least privilege access controls on existing networks, for both remote and local users, down to the per-user, per-resource level, with minimal administrative overhead. By microsegmenting network access, EAI enables organizations to comply with the Zero Trust principle of never trusting, always verifying, before granting access to sensitive resources.
Of course, following security best practices and promptly patching vulnerabilities — such as the Netlogon vulnerability – is absolutely essential. But it’s no less essential to take steps to reduce the damage a malicious party can cause in the event they do manage to breach your defenses. Implementing a Zero Trust network access solution that can limit the severity of an attack is an important first step.