Threat Signal Report

Zerologon Proof of Concept Code Available for CVE-2020-1472 (Windows Netlogon Elevation of Privilege)

Description

FortiGuard Labs is aware of a recent (Sept. 17th) tweet made by the United States National Security Agency (NSA) that alerts readers of the release of viable proof of concept code for CVE-2020-1472 (Windows Netlogon Elevation of Privilege). This vulnerability was previously disclosed during the monthly August 2020 Patch Tuesday release cycle. In a nutshell - an unauthenticated user exploiting this vulnerability can obtain access to a domain controller and obtain domain administrator access.

What are the Specifics of the Vulnerability?

Dubbed "Zerologon" and discovered by security researcher Tom Tervoort, the attack takes advantage of cryptographic flaws, specifically in a cryptographic authentication protocol, that validates the identity of a machine that is domain joined to the domain controller. Due to an incorrect use of AES, the identity of any account can be spoofed - including the domain controller - to set an empty password for the joined account in the domain. An attacker can simply leverage an unauthenticated connection to a domain controller to carry out an attack.

According to the Microsoft advisory, an elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network. To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access. Essentially, an attacker who has access at the domain administrator level can add/delete users, perform data exfiltration or simply sabotage the whole entire network, if they please.

How Critical of an Issue is this?

HIGH. This vulnerability has a CVSS score of 10, which is the highest score possible.

Can this Vulnerability Be Exploited Remotely?

No. However, given that this vulnerability can be exploited by an attacker inside a network, other points of entry (such as utilizing other vulnerabilities) make this a dangerous vulnerability overall. Another factor to consider is exploitation by a disgruntled worker who is legitimately on the network make this an exceptionally dangerous vulnerability.

What Operating Systems Are Affected?

All Windows Server versions.

What is the status of AV/IPS coverage?

AV coverage is not feasible at this time.

Customers running the latest IPS definitions (16.928) are protected by the following signature:

MS.Windows.Server.Netlogon.Elevation.of.Privilege

Any Suggestions or Mitigation?

Due to the ease of exploitability, potential for destruction and being assigned the highest CVSS score possible, FortiGuard Labs suggests applying all patches immediately; or as soon as time permits. Because of the complex nature of installing the patches for this issue - further details on applying patches for this issue is available on the vendor write-up page located in the APPENDIX section.