The Zerologon vulnerability was recognized by Microsoft in August and a patch provided. Recently, an exploit for the vulnerability has made it into the wild. The attack is trivial in nature leaving a Windows Server 2019 Server Core domain controller vulnerable to a lowly Raspberry Pi Zero for exploit. Details on the nature of the attack method can be found on the SecuraBV website. It is critical that organizations that run Active Directory patch domain controllers as soon as possible. That being said, the patch comes with its own issues. Some legacy systems that are not using secure RPC for Netlogon and this patch will break their access to domain controllers.
The patch is actually two patches. One that was delivered in August and another that is scheduled for February 11, 2021. The first patch recognizes that the mitigation will break some clients. The August patch provides events to monitor for non-compliant devices and a group policy to allow non-compliant devices to continue to operate as they are remediated. Domain controllers can be placed into enforcement mode prior to February 2021 ensuring 100% mitigation from exploit based on Microsoft’s technical article. It is critical to patch and upgrade non-compliant devices as soon as possible. Microsoft provides details on the impact of the patch on their support website.