Zerologon Vulnerability: Becoming a domain admin in 10 seconds CVE-2020-1472

A security firm named Secura has published a white paper of a vulnerability (CVE-2020-1472) affecting Microsoft's Netlogon authentication component. The vulnerability allows unauthorized code execution on the Domain Controller. The name of vulnerability has been determined as "Zerologon" by the company. The reason the vulnerability is named with this name is that the attack is done by adding the "0" character to the Netlogon authentication parameters. The attack is listed under MITER ATT&CK as "Lateral Movement Tactic" and "Exploitation of Remote Services (T1210)".

About Vulnerability:

The vulnerability got 10 full points out of 10 as the criticality level (CVSS score). It has been stated that the vulnerability is caused by a weak cryptographic algorithm used in the authentication process of the Netlogon protocol. The vulnerability allows an attacker with network access to the Domain Controller to control the entire Active Directory service, namely the Domain Controller server.

It is considered that the attack can be preferred frequently by the attackers because the attack occurs very quickly and the only requirement is that the attacker has access to the target network. Microsoft Security Intelligence stated in a post on social media that the attackers started to carry out attacks by taking advantage of this vulnerability.

Since the vulnerability directly affects the Domain Controller, it is predicted that the attackers may distribute malware on the target network or, by infecting ransomware software, encrypt all devices included in the domain and demand ransom in return.

The update on vulnerability has been published by Microsoft.

Security researchers of Secura company have published a Python code (https://github.com/SecuraBV/CVE-2020-1472) as an open-source to test Zerologon vulnerability. However, as the script will change the password of the Domain Controller account if successful, it is recommended not to test it in a live environment.

Apart from the Secura company, it is seen that different Poc codes are being published on GitHub:

• https://github.com/dirkjanm/CVE-2020-1472
• https://github.com/risksense/zerologon
• https://github.com/blackarrowsec/redteam-research
• https://github.com/bb00/zer0dump

Affected Systems:

• Windows Server 2008 R2 for x64-based Systems Service Pack 1
• Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
• Windows Server 2012
• Windows Server 2012 (Server Core installation)
• Windows Server 2012 R2
• Windows Server 2012 R2 (Server Core installation)
• Windows Server 2016
• Windows Server 2016 (Server Core installation)
• Windows Server 2019
• Windows Server 2019 (Server Core installation)
• Windows Server, version 1903 (Server Core installation)
• Windows Server, version 1909 (Server Core installation)
• Windows Server, version 2004 (Server Core installation)

Security Steps:

• Relevant updates released by Microsoft in August should be applied.
• With the new update, the links containing the Netlogon vulnerability are specified with 'EventID 5829'. Both monitoring and blocking operations should be performed using relevant security solutions.
• Secure RPC enforcement mode should be enabled for all devices. Microsoft announced with the February 2021 patch that it will make this process mandatory for all clients.
• By monitoring MS-NRPC traffic coming from outside the defined networks, the risk posed by attackers can be reduced by using security solutions at the defense layer.