Updates September 16, 2020

Samba domain controllers before 4.8 have been confirmed to be vulnerable to CVE-2020-1472. There are now multiple public PoC exploits available, most if not all of which are modifications to Secura’s original PoC built on Impacket. There are reports of the vulnerability's being actively exploited in the wild, including to spread ransomware. The maintainer of popular post-exploitation tool Mimikatz has also announced a new release of the tool that integrates Zerologon detection and exploitation support. Several threads on exploitation traces and community detection rules have also garnered attention from researchers and security engineers.

(Original text)

Earlier today (September 14, 2020), security firm Secura published a technical paper on CVE-2020-1472, a CVSS-10 privilege escalation vulnerability in Microsoft’s Netlogon authentication process that the paper's authors christened “Zerologon.” The vulnerability, which was partially patched in Microsoft’s August 2020 Patch Tuesday release, arises from a flaw in the cryptographic implementation of the Netlogon protocol, specifically in its usage of AES-CFB8 encryption. The impact of successful exploitation is enormous: The flaw allows for full takeover of Active Directory domains by compromising Windows Servers running as domain controllers—in Secura’s words, enabling “an attacker with a foothold on your internal network to essentially become Domain Admin with one click. All that is required is for a connection to the Domain Controller to be possible from the attacker’s viewpoint.” This RPC connection can be made either directly or over SMB via namedpipes.

Secura’s blog includes proof-of-concept (PoC) code that performs the authentication bypass and is easily able to be weaponized for use in attacker operations, including ransomware and other malware propagation. It’s unlikely that it will take long for a fully weaponized exploit (or several) to hit the internet.

InsightVM customers can assess their exposure to CVE-2020-1472 with an authenticated check. Organizations that have not already applied Microsoft’s August 11, 2020 security updates are urged to consider patching CVE-2020-1472 on an emergency basis. Microsoft customers who have successfully applied the August 2020 security updates can deploy Domain Controller (DC) enforcement mode either now or after the Q1 2021 update that includes the second part of the patch for this vulnerability. Microsoft has guidance here on how to manage changes in Netlogon secure channel connections associated with this vulnerability.

For more Rapid7 analysis, further evaluation of Secura’s technical paper, and guidance, see Zerologon’s AttackerKB entry here.

Affected products

  • Windows Server 2008 R2 for x64-based Systems Service Pack 1
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
  • Windows Server 2012
  • Windows Server 2012 (Server Core installation)
  • Windows Server 2012 R2
  • Windows Server 2012 R2 (Server Core installation)
  • Windows Server 2016
  • Windows Server 2016 (Server Core installation)
  • Windows Server 2019
  • Windows Server 2019 (Server Core installation)
  • Windows Server, version 1903 (Server Core installation)
  • Windows Server, version 1909 (Server Core installation)
  • Windows Server, version 2004 (Server Core installation)

References