5:35pm, 24 September 2020
TLP Rating:
Critical Windows Authentication Vulnerability in Netlogon
Update 24 September: Microsoft has reported this vulnerability is now being exploited by attackers. Any organisations that haven't yet applied August 2020 security updates for Microsoft Windows Server should apply these updates as soon as possible.
A misconfiguration in the cryptographic protocol used in Windows’ Netlogon Remote Protocol (CVE-2020-1472) allows an unprivileged network user to set any machine account password to a blank zero-length password, including the Domain Controller machine account itself. Leveraging this would allow full compromise of the Domain Controller.
At least one proof of concept has been released publicly, and so potential for active exploitation exists. Applying the August 2020 updates from Microsoft should be carried out as a high priority, if they have not already been applied to your systems. Windows Domain Controllers should be the highest priority systems to apply updates to.
What's happening
Systems affected
Any version of Windows Server that has the Domain Controller role installed, that has not had the August 2020 update applied. Vulnerable Windows Server versions include:
- Windows Server 2008 R2
- Windows Server 2012
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server 2019
- Windows Server version 1903
- Windows Server version 1909
- Windows Server version 2004
It is likely that older, unsupported, versions of Windows Server are also affected, but will not receive an update to fix the vulnerability. Such systems should be upgraded to a supported operating system.
What this means
Any system that has a vulnerable Domain Controller could be compromised by an attacker, which could lead to complete takeover of the domain.
What to look for
How to tell if you're at risk
Your systems are vulnerable to this exploit if there are any Windows servers with the Domain Controller role in your environment, which have not had the August 2020 updates applied. All Domain Controllers in the environment must be updated to protect against this vulnerability.
What to do
Prevention
Install the August 2020 updates on all Windows servers, with a focus on any servers that have the Domain Controller role installed. This patch also includes new Event IDs to monitor for machines on the network that are attempting to use insecure Remote Procedure Call (RPC) channels. There is an additional update, expected in February 2021, which will enforce the use of secure RPC channels unless a machine is given an explicit exception.
Mitigation
Ensure that your Domain Controllers are not internet-accessible. Any such systems that can be accessed over the internet are at higher risk of compromise.
More information
[1] How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472 - https://support.microsoft.com/en-nz/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc External Link
[2] CVE-2020-1472 | Netlogon Elevation of Privilege Vulnerability - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472 External Link External Link
[3] Script to help in monitoring event IDs related to changes in Netlogon secure channel connections associated with CVE-2020-1472 - https://support.microsoft.com/en-nz/help/4557233/script-to-help-in-monitoring-event-ids-related-to-changes-in-netlogon External Link
[4] https://gist.github.com/silence-is-best/435ddb388f872b1a2e332b6239e9150b External Link
If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.
For media enquiries, email our media desk at certmedia@cert.govt.nz or call on 021 854 384
How helpful was this page?
This site is protected by reCAPTCHA and the Google Privacy Policy External Link and Terms of Service External Link apply.