Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

CVE-2020-1472: 'Zerologon' Vulnerability in Netlogon Could Allow Attackers to Hijack Windows Domain Controller

Security researchers reveal how the cryptographic authentication scheme in Netlogon can be exploited to take control of a Windows domain controller (DC).

Update: September 21, 2020: The ‘Identifying Affected Systems’ section has been updated to include instructions for our new unauthenticated check for Zerologon.

Background

On September 11, researchers at Secura published a blog post for a critical vulnerability they’ve dubbed “Zerologon.” The blog post contains a whitepaper explaining the full impact and execution of the vulnerability, identified as CVE-2020-1472, which received a CVSSv3 score of 10.0, the maximum score. Zerologon was patched by Microsoft in the August Patch Tuesday round of updates. This disclosure follows a previous Netlogon related vulnerability, CVE-2019-1424, which Secura detailed at the end of last year.

Analysis

CVE-2020-1472 is a privilege escalation vulnerability due to the insecure usage of AES-CFB8 encryption for Netlogon sessions. The AES-CFB8 standard requires that each byte of plaintext, like a password, must have a randomized initialization vector (IV) so that passwords can’t be guessed. The ComputeNetlogonCredential function in Netlogon sets the IV to a fixed 16 bits, which means an attacker could control the deciphered text. An attacker can exploit this flaw to impersonate the identity of any machine on a network when attempting to authenticate to the Domain Controller (DC). Further attacks are then possible, including the complete takeover of a Windows domain. Secura’s whitepaper also notes that an attacker would be able to simply run Impacket’s ‘secretsdump’ script to pull a list of user hashes from a target DC.

In order to exploit this vulnerability, the attacker would need to launch the attack from a machine on the same Local Area Network (LAN) as their target. A vulnerable client or DC exposed to the internet is not exploitable by itself. The attack requires that the spoofed login works like a normal domain login attempt. Active Directory (AD) would need to recognize the connecting client as being within its logical topology, which external addresses wouldn’t have.

CVE-2020-1472: Zerologon Vulnerability in Netlogon Could Allow Attackers to Hijack Windows Domain Controller

Image source: Secura CVE-2020-1472 Whitepaper

Proof of concept

Several proofs of concept (PoCs) have been published to GitHub [1] [2] [3] [4] which demonstrates wide interest and experimentation across the security community. Researchers have been fast at work to confirm successful exploitation. Critical and high profile vulnerabilities tend to receive widespread interest from security researchers and attackers alike.

In a hypothetical attack, one could use this vulnerability to deploy ransomware throughout an organization and maintain a persistent presence if cleanup and restoration efforts miss any additional malicious scripts. Organizations with network-accessible backups could end up with a perfect storm if a ransomware group destroys backups to increase their likelihood of payout from the victim organization.

Solution

Applying the August Patch Tuesday update from Microsoft's Advisory will fix the vulnerability by enforcing remote procedure call (RPC) in the Netlogon protocol for all Windows devices. Tenable strongly encourages users and admins alike to apply this patch as soon as possible.

Users should be aware that Microsoft notes a revision to this advisory will be coming on February 9, 2021, and that, once the enforcement phase begins, enforcement mode will be required for all non-Windows devices. Administrators can manually allow specific devices through group policy for legacy device needs.

Identifying affected systems

A list of Tenable plugins to identify this vulnerability can be found here. Tenable will also be releasing additional plugins for the February 9, 2021, update. A compliance audit file, available here, can be used to ensure that the FullSecureChannelProtection registry key value is set in group policy on the DC. The August 2020 fix should set this registry key after the patch has successfully been applied.

Tenable has also released Microsoft Netlogon Elevation of Privilege, an unauthenticated plugin for customers that would like to scan their DCs to test exploitability. This plugin attempts to authenticate to the target using an all zero client credential after providing an all zero client challenge. On vulnerable targets, this will succeed on average once every 256 attempts, and this plugin will attempt this up to 2000 times in order to verify if the target is affected. Due to the number of login attempts required to accurately verify exploitability of a target, Tenable does not recommend running this plugin alongside any other plugins in a scan, as it is intended for single-target Domain Controller scans. To enable the plugin, users must disable the 'Only use credentials provided by the user' setting under the Brute Force section in the Assessment options in their scan configuration.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Subscribe to the Tenable Blog

Subscribe
Try for Free Buy Now

Try Tenable.io

FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now
Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Request a demo of Tenable.ot

Get the Operational Technology Security You Need.
Reduce the Risk You Don’t.