Thoughts regarding Microsoft vulnerability CVE-2020-1472

Starting last week, mass media outlets started reporting on Microsoft vulnerability CVE-2020-1472, commonly referred to as “Zerologon”, as a vulnerability that affects server operating systems when working as domain controllers in an environment. What’s unique is that this vulnerability carries a critical severity rating from Microsoft as well as the rare, maximum rating of “10” under the Common Vulnerability Scoring System. Let’s start with a couple of key points to consider:

First, keep in mind that a vulnerability is when a security attack vector has been found to exist, but has yet to be used as the foundation during a known attack. That gives developers – Microsoft, in this case – the time to develop the patches necessary to fix the vulnerability, which Microsoft did and released in early August. As a result, we’ve distributed these updates to our clients leveraging our ManageSuite Advanced Update Management service. That’s the good news.

The problem is that the patches Microsoft released in August were only for server operating systems for which there is current, active support. Remember all those articles we wrote last year about how Windows 7 desktop operating systems and Windows 2008 and 2008 R2 Server were going end-of-support this past January? Well, if folks haven’t upgraded their domain controllers to Server 2012 or higher, they are at critical risk of an exploit, and there are limited options they can do to mitigate the risks in a timely manner.

And now reports are surfacing, including from the U.S. Department of Homeland Security, Cybersecurity and Infrastructure Security Agency (CISA) that exploits can be expected by as soon as tonight, Monday, September 21. So what can you do about it if you still have 2008 servers in use?

Unlike Windows 7 Desktop operating systems where Extended Support Updates (ESUs) were made available for purchase for all systems running Windows 7, Microsoft only allowed ESUs for Windows Server 2008 or 2008R2 if a client had an existing Software Assurance or Enterprise Assurance agreement in place. If such a contract wasn’t already in place, the only option is the upgrade the server to a newer, supported version – usually 2016 or 2019. However, these are not typically in-place upgrades, they are migrations which take time and planning, and often come with the added price of purchasing upgraded server and client access licensing as well – not the sort of thing that can be accomplished in 24 hours.

Therefore, if you are an organization that continues to run a 2008 or 2008 R2 server in your environment, we have a couple pieces of advice for your consideration, depending on your situation:

  1. If 2008 servers are in your production environment, as domain controllers, or otherwise, work with us to formulate a plan to upgrade them to a supported version operating system ASAP. If the budget is tight due to COVID, we have financing options available, but will take time to put in place, so don’t delay to have this conversation.
  2. If 2008 servers are in your environment, but not as domain controllers – maybe just because there may be some old application server that has archived data that may be needed (a common occurrence) – please keep these servers powered off. If they are ever needed to reference archived data, we recommend moving the virtual machine to a test environment offline from the production environment so as not to introduce a potential attack vector into your environment. Running out of support operating systems in your production environment is never recommended.
  3. If you are like the majority of our clients and your domain controllers are NOT running 2008 in your environment because you worked to upgrade all operating systems to supported versions by the January 2020 deadline, congratulations! All your hard work paid off, and you have one less headache to deal with allowing you to Keep Calm and Compute On.