09/14/2020 | News release | Distributed by Public on 09/14/2020 17:36
Earlier today, security firm Secura published a technical paper on CVE-2020-1472, a CVSS-10 privilege escalation vulnerability in Microsoft's Netlogon authentication process that Secura christened 'Zerologon.' The vulnerability, which was partially patched in Microsoft's August 2020 Patch Tuesday release, arises from a flaw in the cryptographic implementation of the Netlogon protocol, specifically in its usage of AES-CFB8 encryption. The impact of successful exploitation is enormous: The flaw allows for full takeover of Active Directory domains by compromising Windows Servers running as domain controllers-in Secura's words, enabling 'an attacker with a foothold on your internal network to essentially become Domain Admin with one click. All that is required is for a connection to the Domain Controller to be possible from the attacker's viewpoint.' This RPC connection can be made either directly or over SMB via namedpipes.
Secura's blog includes proof-of-concept (PoC) code that performs the authentication bypass and is easily able to be weaponized for use in attacker operations, including ransomware and other malware propagation. It's unlikely that it will take long for a fully weaponized exploit (or several) to hit the internet.
InsightVM customers can assess their exposure to CVE-2020-1472 with an authenticated check. Organizations that have not already applied Microsoft's August 11, 2020 security updates are urged to consider patching CVE-2020-1472 on an emergency basis. Microsoft customers who have successfully applied the August 2020 security updates can deploy Domain Controller (DC) enforcement mode either now or after the Q1 2021 update that includes the second part of the patch for this vulnerability. Microsoft has guidance here on how to manage changes in Netlogon secure channel connections associated with this vulnerability.
For more Rapid7 analysis, further evaluation of Secura's technical paper, and guidance, see Zerologon's AttackerKB entry here.