Security Bits Logo no alpha channel

Security Bits — 4 October 2020

Feedback & Followups

🧯Deep Dive — Zerologon (CVE-2020-1472)

We have a new bug with a fancy name — Zerologon. Security researchers found a flaw in the Microsoft Windows Netlogon Remote Protocol or MS-NRPC. The spec misuses an otherwise secure encryption function (AES-CFB8). Some cryptographic functions need to be started with a piece of random data before they are ready to be used to securely encrypt real data. Cryptographers refer to this initial chunk of random data as the Initialisation Vector, or IV. The problem with the MS-NRPC spec is that it resulted in an encryption function that needs to use an IV always being passed all zeros instead of random data as the IV. That explains the zero in Zerologon.

So what does MS-NRPC do? And more importantly, what does this flaw allow attackers to do that they shouldn’t be able to do?

Thanks to US antitrust laws and some diligent people in the US DOJ, Microsoft publish the specifications for the protocols that power Windows networking and groupware. Initially, this was demanded by commercial competitors like Novell (anyone remember NetWare?). Novell may be a distant memory, but the fact that these specs are public is what enables our Macs to play nice in corporate environments, our NAS devices to publish our files as if they were Windows file servers, and for Linux clients and servers to fully participate in Windows-based network, and even host Active-Directory-compatible domains that Windows desktop computers can join seamlessly. Without these specs open source projects like SAMBA would have to reverse-engineer the various protocols their product relies on, instead, they simply get to implement the spec!

So, this is how Microsoft describes MS-NRPC in the official specification:

… an RPC interface that is used for user and machine authentication on domain-based networks; to replicate the user account database for operating systems earlier than Windows 2000 backup domain controllers; to maintain domain relationships from the members of a domain to the domain controller, among domain controllers for a domain, and between domain controllers across domains; and to discover and manage these relationships.

Basically, MS-NRPC is the fundamental protocol that holds a Windows domain together.

Because of the all-zeros IV, attackers with network-level access to a Windows domain can impersonate any computer on the domain, including a domain controller, and, obtain Domain Administrator privileges (network-level root access). Basically, if an attacker gets onto a network where there’s even one domain-joined computer, they can take over the entire Windows domain. In a modern corporate environment, controlling the Windows domain gives an attacker control of just about everything. This really is about as bad as it can get!

In theory, an insecure smart lightbulb could be all it takes to expose an entire trans-national corporate network!

A few zeros in an IV become a domain admin login without a password — definitely Zerologon!

But wait, there’s more!

A lot of security vulnerabilities are the result if implementation mistakes — the coders try to write code that follows the spec, but they make a mistake. Those bugs will exist in single products and are usually easy for the vendor to fix. This is not one of those bugs — in this case, it was a mistake in the specification, so even perfect implementations of the spec are vulnerable! This vulnerability also affects SAMBA and some network storage devices (high-end SANs more than low-end NAS devices for reasons that will become obvious shortly).

But wait, there’s even more — Microsoft are seeing active exploitation of this bug in the wild!

This all sounds pretty bad, what is that fire extinguisher emoji doing in the heading?

This is a really big deal for corporate IT, but there are three good reasons regular folk don’t need to panic:

  1. This bug was responsibly disclosed. Microsoft patched it in their August Patch Tuesday security update, and SAMBA have also released patches. The security researchers did not release any details on the bug until after Microsoft published their September Patch Tuesday updates.
  2. This bug affects Windows domains, most home users don’t run Windows domains! Also, most home and even Small Office/Home Office NAS devices don’t support Windows domains, only higher-end NAS and SAN devices provide Windows domain services.
  3. Most homes are behind NAT routers, providing protection from direct exploitation. If a home user did run an unpatched Windows domain though, they could get exploited indirectly via another otherwise insecure device, most likely some shoddy IoT contraption that’s all big forgotten!

Bottom line — home users who patch their devices really have nothing to worry about here.


❗ Action Alerts

Worthy Warnings

Notable News

Top Tips

  • Blacklight is an interesting tool for checking websites for ad trackers —…

Excellent Explainers

Interesting Insights

Palate Cleansers

  • From Allison: stay at wear a


When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.

Emoji Meaning
🎧 A link to audio content, probably a podcast.
A call to action.
flag The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country.
📊 A link to graphical content, probably a chart, graph, or diagram.
🧯 A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂
💵 A link to an article behind a paywall.
📌 A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future.
🎩 A tip of the hat to thank a member of the community for bringing the story to our attention.

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top