Microsoft has released a patch for a critical vulnerability that allows complete takeover of corporate networks. The vulnerability is called MS-14-027 and is located in the Windows kernel. If exploited, the attacker could gain complete control over the system. Microsoft has released a patch for a critical vulnerability that allows complete takeover of corporate networks. The vulnerability is called MS-14-027 and is located in the Windows kernel. If exploited, the attacker could gain complete control over the system. The attack vector for this vulnerability is through use of an exploit code that takes advantage of an existing flaw in Windows kernel security. Microsoft has not released any information about how to exploit this vulnerability, but it is possible to do so by using an exploit code that takes advantage of an existing flaw in Windows kernel security. The attack vector for this vulnerability is through use of an exploit code that takes advantage of an existing flaw in Windows kernel security. Microsoft has not released any information about how to exploit this vulnerability, but it is possible to do so by using an exploit code that takes advantage of an existing flaw in Windows kernel security.
Update Your Windows Servers ASAP
The vulnerability resides in Netlogon, a process which authenticates users against domain controllers, used for logging in to Windows networks.
The bug takes advantage of some weak cryptographic protocols used internally in Netlogon, allowing attackers to append zero-data to requests and exploit the program. This allows attackers to:
Change arbitrary passwords on the domain controller’s Active Directory. Impersonate the identity of other computers on the network. Disable security features in the Netlogon process.
This is definitely worthy of the 10/10 critical score. It allows the attacker to authenticate as any user, change passwords and take over the entire domain controller itself, and instantly become the domain admin by completely subverting all the cryptography usually used to check passwords.
Needless to say, you should update your Windows servers today.
The attack is also fairly simple to pull off, as it’s simply filling specific message parameters with zeros, and trying the handshake multiple times to set an empty password on the domain controller, shown here in a graph from Secura’s whitepaper on the vulnerability:
To actually exploit the vulnerability, attackers would need to be on the local network, which at least rules out the disaster scenario of this happening through a vulnerable web interface. But, it can be done by any computer on the network, regardless of privilege, so it’s still very impactful.