Zerologon Privilege Escalation Vulnerability
Zerologon is a privilege escalation vulnerability in the Netlogon protocol used by Windows DCs. Exploitation of this vulnerability could result in the total compromise of an affected organisation's Windows domain tree and any associated domains.
Summary
Zerologon is a privilege escalation vulnerability in the Netlogon protocol used by Windows DCs. Exploitation of this vulnerability could result in the total compromise of an affected organisation's Windows domain tree and any associated domains.
Affected platforms
The following platforms are known to be affected:
Threat details
Introduction
Details of a privilege escalation vulnerability, known as Zerologon, affecting the Netlogon Remote Protocol (MS-NRPC) have been released by Microsoft. They state that this vulnerability could be exploited by a remote unauthenticated attacker to obtain domain administrator access to a target network.
Netlogon is used by Windows domain controllers (DCs) to authenticate all user and machine connections on domain-based networks, as well as to maintain domain relationships between multiple domains and their respective controllers.
Vulnerability
The vulnerability appears to be the result of an underlying flaw in the way MS-NRPC handles the AES-CFB8 encryption function used to generate client and server credentials. By sending a specially crafted client credential request, a user is able to log on to a target network as any system that is already connected, including the network domain controllers.
A second message can then be used to reset the Netlogon Active Directory credentials of any client connected to the target network, causing a disparity between its local and Active Directory settings, which results in a denial-of-service condition on the affected client. If used against a domain controller, this second message can result in a reset of the domain controller credentials, at which point the user may specify a new set of credentials.
Active exploitation
Whilst CVE-2020-1472 was first published as part of Microsoft's scheduled August 2020 updates, there were no known exploits available nor attacks targeting this vulnerability.
However, starting Monday 14th September, a number of automated and semi-automated exploits began appearing on public sites under the name Zerologon, alongside evidence of active attacks against vulnerable systems.
Threat updates
| Date | Update |
|---|---|
| 12 Feb 2021 |
Microsoft announces second phase of updates
Microsoft has announced the release of the second phase of Windows updates to address the Zerologon vulnerability, included with the February 2021 security updates. These updates enable enforcement mode on all supported Windows Domain Controllers. Vulnerable connections from non-compliant devices will be blocked unless manually added to a specific security group as an exception. |
| 26 Nov 2020 |
APT10 targeting Zerologon
The APT10 advanced persistent threat group are actively exploiting Zerologon in attacks against automative, engineering, and pharmaceutical organisations globally. It is unknown how the group gain initial access to target networks although there are confirmed reports they are using both QuasarRAT and Hartip to extract information and deliver secondary payloads. |
| 14 Oct 2020 |
VPN attack chaining
Several advanced persistent threats are chaining Zerologon exploits with a number of existing VPN and MDM vulnerabilities to compromise target networks. Their targets include both critical national infrastructure as well as organisations administering the upcoming US presidential elections. For further information: |
| 24 Sep 2020 |
SharpZeroLogon
Microsoft has now confirmed a number of active attacks appearing to use the SharpZeroLogon open-source exploit. All observed attacks will attempt to reset the NTLM password on affected domain controllers, which results in password hashes of 31d6cfe0d16ae931b73c59d7e0c089c0. |
Remediation advice
At the time of publication, Microsoft has stated that this vulnerability will be addressed in two separate updates, with the first update available now and the second in the first quarter of 2021. Affected organisations are encouraged to review Microsoft's security update CVE-2020-1472 to apply the first update.
Organisations are also encouraged to review Microsoft's guidance article 'How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472' and apply the partial mitigation steps in advance of the second update.
Organisations using Samba as part of their domain controller infrastructure are encouraged to review CVE-2020-1472 security announcement and apply the relevant update.
Indicators of compromise
Definitive source of threat updates
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472
- https://support.microsoft.com/en-gb/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc
- https://us-cert.cisa.gov/ncas/current-activity/2020/09/14/exploit-netlogon-remote-protocol-vulnerability-cve-2020-1472
- https://www.secura.com/pathtoimg.php?id=2055
- https://kb.cert.org/vuls/id/490028
- https://us-cert.cisa.gov/ncas/alerts/aa20-283a
Last edited: 12 February 2021 11:14 am