What is the potential impact of CVE-2020-1472?

The successful exploitation of CVE-2020-1472 allows an attacker to impersonate any computer on the network, disable security features that protect the Netlogon process, and change a computer’s password associated with its Active Directory account.

What does an attacker need to exploit Zerologon?

In order to exploit Zerologon an attacker needs to be on the network. The attacker can gain access to networks by multiple means such as phishing, drive-by exploits, or additional means.

What event ids are enabled once the August 2020 patch is installed on a domain controller?

The following event ids are enabled once the August 2020 patch is installed on a Domain Controller: Log event IDs 5827 and 5828 log when a connection has been denied to the domain controller once enforcement mode has been enabled. , Log event IDs 5830 and 5831 log when a connection is allowed by the “Domain controller: Allow vulnerable Netlogon secure channel connections” group policy. , Log event IDs 5829 logs whenever a vulnerable Netlogon secure channel connection is allowed for both Windows and Non-Windows devices.

What actions can I take to protect my devices from the Zerologon Vulnerability?

deepwatch recommends taking the following actions in vulnerable environments to assist in further protecting devices: Action 1: Patch all systems with Microsoft’s August 2020 security updates and verify the successful installation with a vulnerability scanning tool, such as those from Qualys or Tenable, and your organization’s patch management tools. , Action 2: Enabling forwarding to SIEM devices or monitoring event id 5829 and monitoring for devices that are not utilizing a secure Netlogon. If a device is detected with event id 5829 recommended steps by Microsoft are as follows: Windows Systems , – Confirm the device(s) are running supported versions of Windows , – Ensure the system is fully updated. , – Check to ensure that Domain member: digitally encrypt or sign secure channel data (always) is set to enabled. , For non-windows systems acting as a Domain Controller and an event is logged , – Ensure the non-compliant DC supports secure RPC with Netlogon secure channel then enable secure RPC on the DC. , – If the non-compliant DC does not support RPC then the device manufacturer (OEM) or software vendor will need to update in order to support secure RPC with Netlogon secure channel. , – Remove the non-compliant DC. , If a non-compliant DC cannot support the RPC with Netlogon secure channel before the DCs are in enforcement mode, add the DC using the “Domain controller: allow vulnerable Netlogon secure channel connections” group policy. Further information on this action can be found at the following location on Microsoft’s site: , https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc , Action 3: Enable DC enforcement mode after confirming all devices are compliant and will not break as a result of enabling. It should be noted the patch to be released February 9th, 2021 will automatically enable enforcement mode on Domain Controllers.

06.22.21

CVE-2021-3044 Vulnerability: Cortex XSOAR

By Deepwatch,

[Editor’s Note] Deepwatch has successfully upgraded the Palo Alto Cortex XSOAR platform to a version that is not vulnerable. The upgrade was completed 6/23/21 at 10PM EST without a lapse in coverage.

Executive Summary

Deepwatch is currently tracking and mitigating the recent Cortex XSOAR CVE (CVE-2021-3044) which presents a risk to unauthorized usage of the REST API. At the time of Palo Alto Network’s advisory[1], no evidence of exploitation had been identified in the wild.

What is Deepwatch doing?

Deepwatch has identified that our Cortex XSOAR version is impacted by this vulnerability, and has taken these steps to mitigate:

Deepwatch has taken the steps to eliminate our exposure by implementing use cases to monitor invalid API usage;
Deepwatch has also activated our emergency change management protocol to upgrade to a non-affected version of Cortex XSOAR;
Deepwatch has had and maintains limited access to the Cortex XSOAR environment.

Supporting Details

Affected Cortex XSOAR Versions:

Cortex XSOAR 6.2.0 Build < 1271065
Cortex XSOAR 6.1.0 Build >= 1016923 and < 1271064

CVSS Details

Severity: 9.8
Attack Vector: Network
Attack Complexity: Low
User Interaction: None
Required Privileges: None
Scope: Unchanged
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High

Who is affected?

Only specific Cortex XSOAR versions and instances that are configured with active API key integrations are affected. To determine if your organization is affected, check the version and build number in context to the CVE, and view the ‘Settings > Integration > API Keys’ details from the Cortex XSOAR web client for current and future API keys.

Workarounds & Mitigations

Palo Alto Networks has provided a list of workarounds and mitigations for organizations with affected Cortex XSOAR versions; these workarounds and mitigations include the following[1]:

To fully mitigate the issue, revoke all active integration API keys.
- To revoke integration API keys from the Cortex XSOAR web client:
  - Settings > Integration > API Keys and then Revoke each API key.
- Note: You can create new API keys after you upgrade Cortex XSOAR to a fixed version.
To reduce the impact of the issue, restrict network access to the Cortex XSOAR server to allow only trusted users.
To monitor the issue, review logs via Splunk for updates to user invites and API key creation (where index=demisto is ingested server.log).
- New user creation
  - index=demisto “*/home/circleci/.go_workspace/src/github.com/demisto/server/repoDB/complexRepo/invite.go*” | rex ” invite (for? )?(?<invite>\S+)” | table _time invite
- New API key creation
  - index=demisto “*/builds/gopath/src/github.com/demisto/server/web/middleware.go*” (apikeys AND “*POST*”) | table _raw

Sources

https://security.paloaltonetworks.com/CVE-2021-3044

Learn more about Deepwatch Vulnerability Management here.