Microsoft released an update for CVE-2020-1472 (now known as Zerologon) on August 11, 2020. The Elevation of Privilege vulnerability exists in the Netlogon Remote Protocol and can allow an unauthenticated attacker to obtain domain administrator access. The vulnerability has a CVSSv3 base score of 10 and is rated as critical by Microsoft.
The update had a planned two-phase release approach. In August, the initial phase of the update was made available. This would implement the changes, however, not begin enforcement, but would start to log connection that would be denied once enforcement is turned on. Guidance from Microsoft was to begin monitoring and identifying non-compliant connections and resolve any of the non-compliant scenarios before enabling enforcement. With a registry change you could turn on enforcement at any time once you are ready. Phase two was targeted for February 9, 2021 and would see an additional update that would enable the enforcement.
The release of proof-of-concept code and indications that threat actors could already be exploiting the vulnerability in the wild moved up the time table quickly and recommendations from the Cybersecurity & Infrastructure Security Agency (CISO) and other security experts urge more immediate actions. The CISA released Emergency Directive (ED) 20-04 on September 18 and the directive stated that all Windows servers with the domain controller role must resolve the vulnerability to be compliant with the directive by Monday September 21. Agencies under the CISA directive also had to prove compliance by Wednesday September 23.
Continuous Vulnerability Management – Is your process effective?
Many organizations believe they have a solid vulnerability remediation process in place. In reality, any company has room to improve on such processes. The recent Zerologon scramble touches on many of those areas that can be improved or should be re-evaluated.
Every organization should ask the following questions:
What is your SLA on vulnerability remediation?
The median time to exploit a vulnerability is 22 days according to research from the RAND Institute. According to the Verizon Data Breach Investigations Report from 2016, 50% of exploits will have occurred within 14-28 days of a patch being made available. Bluekeep is a very public example of how quickly an exploit can be developed. The update was made available on May 14, 2019 and multiple research teams had independently developed exploits by May 28, 2019 exactly 14 days after release of the update. If your Time to Patch is not targeting 14 days or less, you could be leaving your organization exposed to significant risk.
How are you prioritizing vulnerability remediation?
At the current rate of identification, the number of CVEs (Common Vulnerabilities and Exposures) identified in 2020 is likely to exceed 20,000. That is a lot of vulnerabilities to respond to. One common trap companies fall into is trying to reduce the amount of updates they need to resolve quickly vs those than can take a longer cycle. They often will use vendor severity and CVSS score to attempt to reduce the CVEs that need the quick turn around (14 days or less) by targeting vendor Critical or CVSSv3 base scores of 8.0 or higher. Recorded future released a top 10 list of CVEs exploited in 2019. The list included vulnerabilities dating all the way back to 2012. Two in particular come to mind when talking about prioritization. CVE-2017-11882 is a vulnerability that was exploited very nearly from day one. It was only rated as Important by Microsoft and has a CVSS score of 7.8. It was one of the top 10 exploited vulnerabilities according to Recorded Future’s 2019 top 10 exploited CVEs list. Adopting a Risk-based prioritization process to identify the real risk of vulnerabilities as there are many examples that could slip by if not scrutinized.
Does your organization have a well-defined process for priority vs regular maintenance?
Threat actors can move fast. When they do, we need to know what they are exploiting and be able to move quickly to resolve such vulnerabilities. If you have a good risk prioritization process you should be able to react when that prioritization identifies a critical risk. Having two well defined tracks in your process is important. You should have your regular vulnerability management process and should be predictable. Well established SLAs, criteria for what gets prioritized and when it needs to be resolved by. You also need a out of band or rapid response plan that can be triggered literally at a moments notice. In the case of Zerologon or previous situations like WannaCry, the need to respond quickly comes up and when it does it cannot be slowed by weighty discussion. Have a well-established quick response plan and make sure it reduces decision times, has well identified parties who are responsible and an action plan that can be rehearsed and executed quickly.
When to turn to an external service provider
Not every organization has the in-house expertise, the tools to monitor for and prioritize vulnerability risks, and the resources to continually monitor and research vulnerabilities to determine what course of action they should take. Having a managed service focused on risk prioritization and urgent vulnerability response is not a bad idea to augment your team. There are vulnerability management and threat intelligence companies that have products, but also can provide managed services in these areas. They specialize in these activities so you can focus on the day to day and when they prioritize an urgent item, you can respond quickly and confidently.