Threat Signal Report

Zerologon Proof of Concept Code Available for CVE-2020-1472 (Windows Netlogon Elevation of Privilege)

Description

FortiGuard Labs is aware of a recent (Sept. 17th) tweet made by the United States National Security Agency (NSA) that alerts readers of the release of viable proof of concept code for CVE-2020-1472 (Windows Netlogon Elevation of Privilege). This vulnerability was previously disclosed during the monthly August 2020 Patch Tuesday release cycle. In a nutshell - an unauthenticated user exploiting this vulnerability can obtain access to a domain controller and obtain domain administrator access.


What are the Specifics of the Vulnerability?

Dubbed "Zerologon" and discovered by security researcher Tom Tervoort, the attack takes advantage of cryptographic flaws, specifically in a cryptographic authentication protocol, that validates the identity of a machine that is domain joined to the domain controller. Due to an incorrect use of AES, the identity of any account can be spoofed - including the domain controller - to set an empty password for the joined account in the domain. An attacker can simply leverage an unauthenticated connection to a domain controller to carry out an attack.

According to the Microsoft advisory, an elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network. To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access. Essentially, an attacker who has access at the domain administrator level can add/delete users, perform data exfiltration or simply sabotage the whole entire network, if they please.


How Critical of an Issue is this?

HIGH. This vulnerability has a CVSS score of 10, which is the highest score possible.


Can this Vulnerability Be Exploited Remotely?

No. However, given that this vulnerability can be exploited by an attacker inside a network, other points of entry (such as utilizing other vulnerabilities) make this a dangerous vulnerability overall. Another factor to consider is exploitation by a disgruntled worker who is legitimately on the network make this an exceptionally dangerous vulnerability.


What Operating Systems Are Affected?

All Windows Server versions.


What is the status of AV/IPS coverage?

AV coverage is not feasible at this time.

Customers running the latest IPS definitions (16.928) are protected by the following signature:

MS.Windows.Server.Netlogon.Elevation.of.Privilege


Any Suggestions or Mitigation?

Due to the ease of exploitability, potential for destruction and being assigned the highest CVSS score possible, FortiGuard Labs suggests applying all patches immediately; or as soon as time permits. Because of the complex nature of installing the patches for this issue - further details on applying patches for this issue is available on the vendor write-up page located in the APPENDIX section.


Definitions

Traffic Light Protocol

Color When Should it Be used? How may it be shared?

TLP: RED

Not for disclosure, restricted to participants only.
Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused. Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.

TLP: AMBER

Limited disclosure, restricted to participants’ organizations.
Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.

TLP: GREEN

Limited disclosure, restricted to the community.
Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.

TLP: WHITE

Disclosure is not limited.
Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.