Nothing brings urgency to a software vulnerability like an exploit demonstrating its potency.
That’s what happened Monday when researchers at Dutch cybersecurity company Secura released a “proof of concept” exploit for a vulnerability in the Netlogon protocol that Microsoft employs to authenticate users within a domain.
The vulnerability could allow “an attacker with a foothold on your internal network to essentially become [domain administrator] with one click,” as Secura analysts put it. That means an attacker could “impersonate any computer, including the domain controller itself, and execute remote procedure calls on their behalf.”
Within hours of Secura publishing its analysis, U.S. government officials were telling corporations and agencies to pay attention and apply the patch that Microsoft issued last month. The episode highlights how, with thousands of software vulnerabilities released each year, some matter much more than others and prompt influential voices in the industry to sound the alarm. Corporate security teams can’t pay attention to every single software vulnerability, but they can’t afford to ignore flaws like this one.
Rob Joyce, a longtime National Security Agency official, called the Netlogon exploit “powerful,” summing up its ease-of-use as “no fuss, no muss.” The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency warned that “unpatched systems will be an attractive target for malicious actors.” And private-sector analysts said time was of the essence.
“It’s unlikely that it will take long for a fully weaponized exploit [or several] to hit the internet,” wrote Caitlin Condon, manager of software engineering at security firm Rapid7. The firm advised users to “patch on an emergency basis due to the severity of the vulnerability, the availability of an easily weaponizable PoC, and the ease of exploitation.”
The Netlogon flaw also shows how fixing critical bugs can be a tedious process. Microsoft only partially addressed the vulnerability in the patch it released in August. The second phase of the patch will come in the first quarter of 2021, when the software giant will release additional security mechanisms for domain controllers.