{"id":7608,"date":"2020-09-23T11:28:15","date_gmt":"2020-09-23T08:28:15","guid":{"rendered":"https:\/\/www.inforte.com\/?p=7608"},"modified":"2020-09-30T13:53:38","modified_gmt":"2020-09-30T10:53:38","slug":"cve-2020-1472-zerologon-zafiyeti","status":"publish","type":"post","link":"https:\/\/www.inforte.com\/en\/cve-2020-1472-zerologon-zafiyeti\/","title":{"rendered":"CVE-2020-1472 \u201cZerologon\u201d Zafiyeti"},"content":{"rendered":"

CVSS \u201810.0\u2019 tam puan olarak Windows Server ve Active Directory bile\u015fenlerini ciddi \u015fekilde etkileyen bir a\u00e7\u0131k yay\u0131nland\u0131, zafiyet ile sald\u0131rganlar domain etki aln\u0131ndaki herhangi bir istemciye eri\u015fim varsa, etki <\/span>alan\u0131 i\u00e7erisindeki sistemlere eri\u015fim sa\u011flamas\u0131na olanak sa\u011fl\u0131yor.<\/p>\n
\n

\"\"<\/p>\n

\u00a0
<\/p>\n

\u0130lgili g\u00fcvenlik a\u00e7\u0131\u011f\u0131 Microsoft’un A\u011fustos g\u00fcncellemesinde d\u00fczeltildi, ancak detaylar\u0131 tam olarak a\u00e7\u0131klanmam\u0131\u015ft\u0131. Bu sald\u0131r\u0131 tekni\u011fi ile tehdit akt\u00f6rleri \u00e7e\u015fitli k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m veya Uzak Masa\u00fcst\u00fc Protokol\u00fcne (RDP) ile sistemlere illegal eri\u015fim sa\u011flayarak ba\u015fta Privilaged Escelation<\/a> ve Lateral Movement<\/a> taktiklerini kullanarak bir\u00e7ok<\/span> atak tekni\u011finin kolayca \u00e7<\/span>al\u0131\u015fmas\u0131na olanak sa\u011flamaktad\u0131r. Zafiyetin yeni olmas\u0131, ve i\u015fletim sistemi yamalama periyodunun ortalama 90 g\u00fcn oldu\u011fu d\u00fc\u015f\u00fcn\u00fcld\u00fc\u011f\u00fcnde bir\u00e7ok<\/span> kurumun potansiyel olarak risk alt\u0131nda oldu\u011funu varsayabiliriz.<\/p>\n

\u00a0
<\/p>\n

CVE-2020-1472 zafiyetinden yararlanmak i\u00e7in, sald\u0131rgan\u0131n, domain eri\u015fimi elde etmek i\u00e7in MS-NRPC(Netlogon Remote Protocol) kullanmas\u0131 gerekmektedir. \u0130lgili zafiyet \u015fifreleri g\u00fcncellemek ve eri\u015fim sa\u011flamak i\u00e7in MS-NRPC taraf\u0131ndan kullan\u0131lan kriptografik kimlik do\u011frulama \u015femas\u0131ndaki bir kusurdan kaynaklanmaktad\u0131r. Sald\u0131rgan, domain admin kullan\u0131c\u0131lar\u0131n\u0131n kendisi de dahil olmak \u00fczere herhangi bir bilgisayar\u0131n yetkilerini almak ve kendisini bu kimlik bilgileri ile maskeleyerek gizlenmesine de olanak sa\u011flayabilir yada orjinal DC paralos\u0131n\u0131n de\u011fi\u015fmesini sa\u011flayabilir. Di\u011fer bir olas\u0131l\u0131k ise \u201czerologon\u201d sald\u0131r\u0131s\u0131 ile tehdit akt\u00f6rleri hedef a\u011fda k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m ve fidye yaz\u0131l\u0131mlar\u0131n\u0131 daha kolay \u015fekilde kullanmalar\u0131na da olanak sa\u011flayarak \u00e7e\u015fitli fidye ataklar\u0131 ile kendini g\u00f6sterebilir.<\/p>\n

\u00a0
<\/p>\n

\n
\n
\n
\n
\n
\n
\"\"<\/div>\n
\u00a0
<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n

Sald\u0131r\u0131 tekni\u011fi istemcilerin DC’ye ba\u011flanmak i\u00e7in kullan\u0131lan \u2018ComputeNetlogonCredential\u2019 ile kullan\u0131lan AES-CFB8 \u015fifrelemesinin yanl\u0131\u015f i\u015flenmesi nedeniyle, payla\u015f\u0131lan \u015fifreleme anahtar\u0131n\u0131n s\u0131f\u0131ra e\u015fit olmas\u0131ndan kaynaklanmaktad\u0131r, bu nedenle ad\u0131na \u2018ZeroLogon\u2019 ad\u0131 verilmi\u015ftir. Sald\u0131r\u0131 domain parolas\u0131n\u0131 de\u011fi\u015ftirmek ve bir etki alan\u0131n\u0131n denetimini tamamen ele ge\u00e7irmesi 3 saniyeden az s\u00fcrede ger\u00e7ekle\u015fmektedir. Atak MITRE ATT&CK alt\u0131nda Lateral Movmenet Tactic<\/a> ve Exploitation of Remote Services (T1210)<\/a> olarak listelenmi\u015ftir.<\/p>\n

\u00a0
<\/p>\n

Etkilenen Sistemler<\/h2>\n
\u00a0
<\/div>\n

Windows Server 2019 ve Windows Server 2016’n\u0131n herhangi bir s\u00fcr\u00fcm\u00fcn\u00fcn yan\u0131 s\u0131ra Windows Server s\u00fcr\u00fcm 1909, Windows Server s\u00fcr\u00fcm 1903, Windows Server s\u00fcr\u00fcm 1809 (Datacenter ve Standart s\u00fcr\u00fcmler), Server 2012 R2, Windows Server 2012 ve Windows Server 2008 R2 Service Pack 1. domain etki alan\u0131n\u0131 ele ge\u00e7irebilir.<\/p>\n

\u00a0
<\/p>\n

CVE-2020-1472 i\u00e7in G\u00fcvenlik Ad\u0131mlar\u0131<\/h2>\n
\n