A new CVE was released recently that has made quite a few headlines – CVE-2020-1472. Zerologon, as it’s called, may allow an attacker to take advantage of the cryptographic algorithm used in the Netlogon authentication process and impersonate the identity of any computer when trying to authenticate against the domain controller.
To put that more simply, this vulnerability in the Netlogon Remote Protocol (MS-NRPC) could allow attackers to run their applications on a device on the network. An unauthenticated attacker would use MS-NRPC to connect to a Domain Controller (DC) to obtain administrative access.
According to Dustin Childs with our Zero Day Initiative (ZDI), “What’s worse is that there is not a full fix available. This patch enables the DCs to protect devices, but a second patch currently slated for Q1 2021 enforces secure Remote Procedure Call (RPC) with Netlogon to fully address this bug. After applying this patch, you’ll still need to make changes to your DC. Microsoft published guidelines to help administrators choose the correct settings.”
But if there’s a patch, why is this a big deal?
You might be thinking, “Well if there’s a patch, this really isn’t an issue.” But the idea of “just patch it” is not as easy as it sounds – check out this post (also from Dustin with the ZDI) for more insights on barriers to patching.
The average Mean Time to Patch (MTTP) is 60 to 150 days. This CVE was published in early August, so that would put the average time for implementing this patch between October 2020 and January 2021.
You have maybe heard the security industry joke that after Patch Tuesday comes Exploit Wednesday. That’s the comedic way to suggest that after a batch of patches for new CVEs are released the first Tuesday of every month from Microsoft and Adobe, attackers get to work reversing the patches to write exploits to take advantage of the bugs before patches have been applied.
Given the MTTP, that’s 2-5 months that your organization is left exposed to a known threat.
So what can I do to protect my organization?
Fortunately, as a Trend Micro customer, we have you covered with virtual patching. This provides an extra layer of security to protect against vulnerabilities before you apply the official vendor patch. As the name suggests, it’s like a patch because it is specifically protecting your environment in case someone attempted to exploit that vulnerability.
Virtual patches can be a critical safety net to allow you to patch in the way that works for your organization.
With Trend Micro, you are protected from Zerologon and thousands of other vulnerabilities with virtual patching to have your back as part of your patch management process. Because we protect you beyond this CVE.
Thanks to the ZDI, our customers are protected 81 days before a patch is even released by the vendor (2019 data). How is that possible, you might ask. It’s very simple: When a vulnerability is submitted to the ZDI, our team gets to work to add protection against that unpatched vulnerability.
To learn more about Trend Micro protection for CVE-2020-1472, read our knowledge base article here.