On August 11, 2020, Microsoft released a software update to mitigate a critical vulnerability in Windows Server operating systems (CVE-2020-1472). The vulnerability in Microsoft Windows Netlogon Remote Protocol (MS-NRPC), a core authentication component of Active Directory, could allow an unauthenticated attacker with network access to a domain controller to completely compromise all Active Directory identity services. Exploitation of this vulnerability is possible due to a flaw in the implementation of the Netlogon AES-CFB8 encryption. The vulnerability, named Zerologon, is triggered by sending a string of zeros to the Netlogon protocol. The flaw allows anyone on a network utilizing the Netlogon protocol to elevate their privileges to that of the domain administrator. This would allow an attacker access to the entire domain, opening up opportunities for further exploitation.
What has changed since August?
Recently, the same researcher who found and disclosed the flaw to Microsoft has published additional details on the vulnerability, and several proof-of-concept exploits tools are now published on GitHub. Needless to say, the vulnerability will be soon weaponized by advisories. The Department of Homeland Security (CISA) has published an Emergency advisory on September 18 for all government agencies to patch this vulnerability by September 21.
How to detect Zerologon, or CVE-2020-1472
CloudPassage released detection capability for this vulnerability in August. If you already have Halo, you can find all servers that are affected by a simple search in the Servers tab of the Halo Portal by CVE Name, as shown in the screen capture below.
Free Assessment for Non-Halo Users
If you don’t have Halo, you can subscribe to the free trial here. With the free trial, you can get detailed CVE information for all your cloud servers and container hosts in less than 30 minutes—including CVE-2020-1472. You also can see reports on overall compliance, drill into specific assessments, and understand how to remediate critical issues in your cloud infrastructure.
After selecting a server, either click on the Software tab or the Issues tab. The Package Health view on the Software tab displays the status of all of the software packages on the server at the time of the most recent scan. If you want to view results from a different scan, click the Data as of drop-down, and select a different date. By default, the data in the list is sorted by criticality.
The graphic summary displays the following information:
- Packages by Result: Displays the total count of software packages on the server by scan result and criticality: Vulnerable (critical), Vulnerable (non-critical), or OK (no vulnerabilities detected). You can click any part of the graphic or any count to filter the view according to your selection.
- Vulnerable Packages by Remote Exploitability: Displays the total count of vulnerable packages on the server according to how many of those vulnerabilities are remotely exploitable. You can click any part of the graphic or any count to filter the view according to your selection.
- CVEs by CVSS Severity: Displays the total count of CVEs on the server by CVSS v3 severity levels: Critical, High, Medium, and Low.
We recommend patching the affected servers as soon and possible by installing the patch from Microsoft.
The Windows Netlogon Remote Protocol vulnerability CVE-2020-1472 has PoC exploit code available and the vulnerability could be soon weaponized by malicious actors. CISA (DHS) has determined that this vulnerability poses an unacceptable risk to the Federal Civilian Executive Branch and requires immediate and emergency action. All government agencies should patch by September 21.