On August 11, 2020, Microsoft released a software update to mitigate a critical vulnerability in Windows Server operating systems (CVE-2020-1472). The vulnerability in Microsoft Windows Netlogon Remote Protocol (MS-NRPC), a core authentication component of Active Directory, could allow an unauthenticated attacker with network access to a domain controller to completely compromise all Active Directory identity services. Exploitation of this vulnerability is possible due to a flaw in the implementation of the Netlogon AES-CFB8 encryption. The vulnerability, named Zerologon, is triggered by sending a string of zeros to the Netlogon protocol. The flaw allows anyone on a network utilizing the Netlogon protocol to elevate their privileges to that of the domain administrator. This would allow an attacker access to the entire domain, opening up opportunities for further exploitation.
Recently, the same researcher who found and disclosed the flaw to Microsoft has published additional details on the vulnerability, and several proof-of-concept exploits tools are now published on GitHub. Needless to say, the vulnerability will be soon weaponized by advisories. The Department of Homeland Security (CISA) has published an Emergency advisory on September 18 for all government agencies to patch this vulnerability by September 21.
CloudPassage released detection capability for this vulnerability in August. If you already have Halo, you can find all servers that are affected by a simple search in the Servers tab of the Halo Portal by CVE Name, as shown in the screen capture below.
If you don’t have Halo, you can subscribe to the free trial here. With the free trial, you can get detailed CVE information for all your cloud servers and container hosts in less than 30 minutes—including CVE-2020-1472. You also can see reports on overall compliance, drill into specific assessments, and understand how to remediate critical issues in your cloud infrastructure.
After selecting a server, either click on the Software tab or the Issues tab. The Package Health view on the Software tab displays the status of all of the software packages on the server at the time of the most recent scan. If you want to view results from a different scan, click the Data as of drop-down, and select a different date. By default, the data in the list is sorted by criticality.
The graphic summary displays the following information:
We recommend patching the affected servers as soon and possible by installing the patch from Microsoft.
The Windows Netlogon Remote Protocol vulnerability CVE-2020-1472 has PoC exploit code available and the vulnerability could be soon weaponized by malicious actors. CISA (DHS) has determined that this vulnerability poses an unacceptable risk to the Federal Civilian Executive Branch and requires immediate and emergency action. All government agencies should patch by September 21.