Cybersecurity Threat Advisory 0058-20: Zerologon Attack Targeting Windows Servers (CVE-2020-1472)
A critical vulnerability has been discovered which affects potentially all Windows domain controllers and can allow an unauthenticated attacker on the network to take control of an Active Directory domain controller at will. This can allow the attacker to become a domain admin and give them unrestricted access to the network, which could lead to array of attacks and/or compromises. It is strongly recommended that any potentially affected organization patches this vulnerability immediately.
Technical detail and additional information
What is the threat?
A privilege escalation vulnerability referred to now as “Zerologon” exists in the Netlogon Remote Protocol (MS-NRPC) specifically for Windows domain controllers which could allow an unauthenticated attacker to take control of an Active Directory (AD) domain controller with little effort. The exploit stems from the AES-CFB8 encryption used for Netlogon sessions. In short, the initialization vector (a random variable used to enhance encryption) is fixed instead of random, which allows the attacker to control the decrypted text. In practice, an attacker can exploit this by sending an amount of Netlogon messages with certain fields populated with zeroes to change the domain controller password that is stored in the AD. They can then use this new password to gain access to domain admin credentials and restore the original password.
Why is this noteworthy?
This particular privilege escalation vulnerability has been assigned a Common Vulnerabilities Scoring System (CVSS) score of a 10 out of 10, the maximum score. This exploit is extremely dangerous, namely that it can be performed with no authentication by any device on the network to take control of any Active Directory. After doing this the attacker can now become a full domain admin at will, which means they have free reign over the entire network. Although this attack is not entirely remote (a client or DC that is exposed to the world is not exploitable on its own) it is still extremely easy if the attacker is on the network and spoofing a device the AD would recognize as being within its logical topology. There has already been proof of concept code uploaded to GitHub, and Microsoft is urging everyone to apply the August patches as soon as possible.
What is the exposure or risk?
The potential damage that can ensue from the exploitation of this vulnerability is catastrophic. With an attacker essentially being able to become a domain admin at will, this endangers the entire network and anything accessible from it. In a worst-case scenario, an attacker could distribute ransomware throughout an entire organization and possibly any network-accessible backups that can be reached as well, all while maintaining a backdoor. Of course this is only one example, almost all manner of attacks and exploits can be performed by an attacker that is a domain admin, the potential risk is enormous.
What are the recommendations?
Microsoft has released a patch for this and other vulnerabilities that should be installed as soon as possible to prevent exploitation. It is strongly recommended that any potentially affected organization does not wait to roll out this patch. There is also a Python script available via Github that can test for vulnerability to this particular exploit, which can be found at the following link:
For more in-depth information about the recommendations, please visit the following links:
If you have any questions, please contact our Security Operations Center.