Microsoft’s Zerologon Vulnerability (CVE-2020-1472)

As part of its August monthly update, Microsoft has applied a temporary patch to a critical elevation of privilege flaw which can be exploited by attackers to take over Windows Servers running as domain controllers, as well as host computers in enterprise networks.

Tracked as CVE-2020-1472, also dubbed as Zerologon and Netlogon Elevation of Privilege Vulnerability, is an elevation of privilege vulnerability that exists when an unauthenticated attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). The flaw takes advantage of a weak cryptographic algorithm used in the Netlogon authentication process, the protocol that authenticates users against domain controllers. In order to perform the Zerologon attack, an attacker first needs to have a foothold inside a network. However, once the condition is met, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access. Once successful, it can allow threat actors to manipulate Netlogon authentication procedures and impersonate the identity of any computer connected to a network when trying to authenticate against the domain controller, disable security features in the Netlogon authentication process, and even change a computer’s password on the domain controller’s Active Directory.

As of this writing, a weaponized proof-of-concept (POC) code has been published and is publicly available, meaning that exploitation of the flaw can occur at vulnerable systems. The second phase of the patch is schedule to be implemented in February 2020 for further elimination of the vulnerability.

___________________________________

A. Nature of the Attack

What are the affected versions of this vulnerability:

Windows Server

Windows Server version 1903, 1909, and 2004
Windows Server 2008 R2 for x64-based Systems Service
Windows Server 2012 to 2019Windows Server 2012 to 2019

___________________________________

B. Actions to be Taken

CERT-PH recommends the following actions be taken:

Immediately test and apply the corresponding patched versions of the affected system from the August’s monthly update published by Microsoft and anticipate for the second phase of the patch to fully addressed the issue. (https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472)