This Critical Windows Security Breach Can Leave Your Entire Company’s Data at Risk

The researchers said that the breach allows an attacker latched on to a company’s local network to completely compromise the Windows domain of the respective company. The breach completely bypasses authentication, which helps attackers escalate their system privileges on a breached PC. According to reports, the flaw stems from the Netlogon Remote Protocol, which is available on Windows domain controllers that are used for tasks such as user and machine authentication – key features for enterprise security. It also exists in the AES-CFB8 encryption setup for Netlogon sessions.

In these sessions, the encryption standard randomises the system login initialisation process, which makes it practically impossible for attackers to breach enterprise systems. However, the Netlogon flaw fails to randomise the initialisation, and instead sticks to a 16-bit vector for a single login attempt. This, in turn, gives attackers easier control over gaining access to a system.

Zerologon Attack Diagram. (Image Credit: Secura)

Security researchers at Secura said that due to incorrect use of an AES encryption process, it is possible for attackers to clone user identities and subsequently set empty passwords, further escalating the breach. However, it is important to note that in order to exploit the vulnerability, the attacker will have to launch the attack from a machine on the same local network. This means that they would need physical presence within the targeted network, such as access to a Windows PC within an enterprise network.