Critical Windows Authentication Vulnerability in Netlogon

Our advisories highlight current cyber security threats and vulnerabilities in New Zealand, and provide guidance on how to mitigate their impact.

Subscribe to our updates to be notified as soon as we publish an advisory.

5:35pm, 24 September 2020

TLP Rating: Clear

Critical Windows Authentication Vulnerability in Netlogon

Update 24 September: Microsoft has reported this vulnerability is now being exploited by attackers. Any organisations that haven't yet applied August 2020 security updates for Microsoft Windows Server should apply these updates as soon as possible.

A misconfiguration in the cryptographic protocol used in Windows’ Netlogon Remote Protocol (CVE-2020-1472) allows an unprivileged network user to set any machine account password to a blank zero-length password, including the Domain Controller machine account itself. Leveraging this would allow full compromise of the Domain Controller.

At least one proof of concept has been released publicly, and so potential for active exploitation exists. Applying the August 2020 updates from Microsoft should be carried out as a high priority, if they have not already been applied to your systems. Windows Domain Controllers should be the highest priority systems to apply updates to.

 

What's happening

Systems affected

Any version of Windows Server that has the Domain Controller role installed, that has not had the August 2020 update applied. Vulnerable Windows Server versions include:

  • Windows Server 2008 R2
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows Server 2016
  • Windows Server 2019
  • Windows Server version 1903
  • Windows Server version 1909
  • Windows Server version 2004

It is likely that older, unsupported, versions of Windows Server are also affected, but will not receive an update to fix the vulnerability. Such systems should be upgraded to a supported operating system.

What this means

Any system that has a vulnerable Domain Controller could be compromised by an attacker, which could lead to complete takeover of the domain.

What to look for

How to tell if you're at risk

Your systems are vulnerable to this exploit if there are any Windows servers with the Domain Controller role in your environment, which have not had the August 2020 updates applied. All Domain Controllers in the environment must be updated to protect against this vulnerability.

What to do

Prevention

Install the August 2020 updates on all Windows servers, with a focus on any servers that have the Domain Controller role installed. This patch also includes new Event IDs to monitor for machines on the network that are attempting to use insecure Remote Procedure Call (RPC) channels. There is an additional update, expected in February 2021, which will enforce the use of secure RPC channels unless a machine is given an explicit exception.

Mitigation

Ensure that your Domain Controllers are not internet-accessible. Any such systems that can be accessed over the internet are at higher risk of compromise.

More information

[1] How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472 - https://support.microsoft.com/en-nz/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc External Link

[2]  CVE-2020-1472 | Netlogon Elevation of Privilege Vulnerability - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472 External Link External Link

[3] Script to help in monitoring event IDs related to changes in Netlogon secure channel connections associated with CVE-2020-1472 - https://support.microsoft.com/en-nz/help/4557233/script-to-help-in-monitoring-event-ids-related-to-changes-in-netlogon External Link

[4] https://gist.github.com/silence-is-best/435ddb388f872b1a2e332b6239e9150b External Link

If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.

Report an incident to CERT NZ

For media enquiries, email our media desk at certmedia@cert.govt.nz or call on 021 854 384