CVE-2020-1472 – ‘Zerologon’ Vulnerability
CVE-2020-1472 was discovered by researchers at Secura, nicknamed ‘Zerologon’, and is a vulnerability in Netlogon that could allow attackers to hijack Windows domain controller. While patched by Microsoft in the August Patch Tuesday round of updates, the CVE received a CVSSv3 score of 10.0, the maximum score.
Zerologon is a privilege escalation vulnerability that stems from the insecure usage of AES encryption for Netlogon sessions, which requires each byte of plaintext, such as a password, to have a randomized initialization vector so that passwords can’t be guessed. The ‘ComputerNetlogonCredential’ function in Netlogon sets the IV to a fixed 16 bits, which means an attacker could control the deciphered text. An attacker exploiting this vulnerability can impersonate the identity of any machine on a network when attempting to authenticate with the Domain Controller. This allows the attacker a jumping off point for further attacks, including the complete takeover of a Windows domain. Secura’s published whitepaper also notes that an attacker could run Impacket’s ‘secretsdump’ script to download a list of user hashes from a targeted Domain Controller. It’s important to note that for an attacker to exploit the Zerologon vulnerability, they would need to launch the attack from a machine that is already on the same LAN as their target. A vulnerable client or Domain Controller that is exposed to the Internet is not exploitable; the attack requires that the spoofed login works like a normal domain login attempt, and Active Directory would need to recognize the connecting client as being within its logical topology, which external addresses wouldn’t have.
We strongly encourage that all users and system administrators apply Microsoft’s August Patch Tuesday update as this will fix the vulnerability by enforcing remote procedure call in the Netlogon protocol for all Windows devices. Tenable has developed a series of plugins to help administrators identify the CVE-2020-1472 vulnerability. A list of affected products can be found below, as well as several proofs of concepts.
Proof of Concept – GitHub:
Affected Products:
- Windows Server 2008 R2 for x64-based Systems Service Pack 1
- Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
- Windows Server 2012
- Windows Server 2012 (Server Core installation)
- Windows Server 2012 R2
- Windows Server 2012 R2 (Server Core installation)
- Windows Server 2016
- Windows Server 2016 (Server Core installation)
- Windows Server 2019
- Windows Server 2019 (Server Core installation)
- Windows Server, version 1903 (Server Core installation)
- Windows Server, version 1909 (Server Core installation)
- Windows Server, version 2004 (Server Core installation)
Sources: