Microsoft “Zerologon” Elevation of Privilege Vulnerability (CVE-2020-1472)
“An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network.” – (Microsoft)
What can Happen:
A hacker can leverage the vulnerability and take over a network. When exploited, this vulnerability allows a malicious actor with local network access to escalate privileges to a domain administrator level. Domain Administrator privileges allow unfettered access to all resources on the domain.
The flaw allows an attacker to trick the Domain controller to believe it is communicating with an authenticated user without knowing the password of that user. The Zerologon attack works by sending a string of zeros in a series of messages that use the Netlogon protocol. Windows servers rely on the Netlogon protocol for a variety of tasks such as allowing end users to log in to a network. Malicious actors with no authentication can use the exploit to gain domain administrative credentials, as long as the attackers have the ability to establish TCP connections with a vulnerable domain controller. The attacker can also disable the signing and sealing – encryption for communications. This is the beginning of further havoc in the DC. By sending a number of Netlogon messages in which various fields are filled with zeroes, an attacker can change the computer password of the domain controller.
How to Protect Systems
Microsoft is currently working on patches to address this in a two-phase vulnerability. The first phase started back on August 11th, 2020 patch update. Customers of Microsoft who have successfully applied this update will be protected from the Zerologon vulnerability. If you have not run this patch you should do so as soon as possible. The patch fixes the vulnerability by enforcing the Secure Netlogon Remote Protocol for all Windows servers and clients in the domain. In the second phase there will be another update scheduled for some time in the first quarter of 2021.
Definitions
- Netlogon Remote Protocol is an RPC interface available on Windows domain controllers. It is used for various task related to user and machine authentication, most commonly to facilitate users logging in to servers using the NTLM protocol.
References
Recent Posts
Categories
Posts by Month
- November 2024 (1)
- October 2024 (1)
- August 2024 (1)
- June 2024 (1)
- April 2024 (2)
- February 2024 (1)
- October 2023 (1)
- February 2023 (1)
- November 2021 (2)
- October 2021 (1)
- December 2020 (2)
- November 2020 (2)
- October 2020 (4)
- September 2020 (1)
- August 2020 (1)
- July 2020 (1)
- June 2020 (1)
- May 2020 (1)
- April 2018 (1)
- March 2018 (5)
- February 2018 (3)
- January 2018 (5)
- December 2017 (3)
- November 2017 (3)
- October 2017 (6)
- May 2017 (1)
- January 2016 (3)
- November 2015 (1)
- October 2015 (1)