• S1E1 - Breaking Bitlocker, Exchange RCE, and Zerologon

  • Oct 16 2020
  • Length: 4 mins
  • Podcast

S1E1 - Breaking Bitlocker, Exchange RCE, and Zerologon

  • Summary

  • Today we’re going to dive into a few interesting vulnerabilities coming from everyone’s favorite punching bag — Microsoft.

    A researcher at Black Hat Asia 2020 revealed a vulnerability with BitLocker that allows a user to bypass Window’s full disk encryption. It does so by exploiting a weakness in how BitLocker handles sleep mode in some edge cases. A video released by the researcher shows the vulnerability being exploited using a tool they developed called bitleaker.

    Basically, after the windows machine is shutdown, an attacker boots into a live USB with the bitleaker tool installed, forces the computer to go into sleep mode, and the tool proceeds to take advantage of the weak handling of the edge case upon waking the machine. This abnormal sleep mode case allows for the Trusted Platform Module onboard the windows machine to be cleared, completely neutralizing it’s security features and allowing for BitLocker’s Virtual Master Key to be unsealed and encryption to be broken. More information on this can be found on the details page for CVE-2020–0526 or by visiting the bitleaker repo on github.

    US Federal agencies are reporting that nearly 250,000 exchange servers remain unpatched from a particularly malicious RCE vulnerability, CVE-2020–0688, effecting nearly every machine with the Exchange control panel component enabled. This component is enabled by default, so you can imagine just how widespread this vulnerability is.

    Microsoft addressed this problem about 8 months ago on February’s patch Tuesday, and companies across the globe have patched it about as quickly as you’d expect. Both the NSA and CISA are urging everyone with an Exchange server to patch this as soon as possible, as multiple Advanced Persistent Threat groups are actively deploying exploits against this vulnerability. Last, but not least, let’s talk about the dangerous elephant in the room. The ZeroLogon vuln disclosed back in August is coming back in full force this week, as DHS warns against a potential wave of exploitation.

    For anyone not familiar with the vulnerability, it allows an attacker to bypass the authentication mechanism in Active Directory’s Netlogon Remote Protocol (MS-NRPC) which allows users to logon using NTLM. It does so by forcing the initialization vector, which should always be a random number, to contain all zeroes, allowing for the encryption to be incredibly predictable and thus breakable. Any attacker gaining control with this attack essentially has the keys to the kingdom, or in the case the Domain Controller. From there, the sky is the limit, an attacker can likely takeover an entire network using this vulnerability as an entry point.

    Ok, there you have it, your daily dose of “oh no, I have to patch something” known as the Daily Vuln.

    This podcast is powered by Pinecast.

    Show More Show Less
activate_Holiday_promo_in_buybox_DT_T2

What listeners say about S1E1 - Breaking Bitlocker, Exchange RCE, and Zerologon

Average customer ratings

Reviews - Please select the tabs below to change the source of reviews.