Zerologon (CVE-2020-1472) Domain Controller Exploit in Windows AD
(This alert is for IT staff in departments running their own AD domain. This is an issue at the Windows domain level, not at the individual Windows computer level.)
tl;dr
There are many exploits on github that could allow an adversary to run remote code that enables them to change the machine account password, breaking the domain controller-to-domain controller communications, ultimately allowing the attacker (with the updated machine account password) to create a new account and become domain admin.
What to do
- Patch your domain controllers now. Microsoft has released patches and guidance addressing the vulnerability and how to mitigate against attacks.
- Create a Group Policy Object (GPO) that updates the registry key that turns on enforcement mode before Microsoft enforces it (on February 9, 2021) in order to mitigate this attack.
For more info, see the “Registry value for enforcement mode” table on this page:
How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472
Description of the problem
Information security researchers have discovered a major security vulnerability, dubbed Zerologon, that allows attackers to infiltrate organizations by gaining administrative privileges, giving them access to Active Directory (AD) domain controller (DC) servers.
This privilege escalation flaw is critical in severity, and it has been given a “10 out of 10” rating in the Common Vulnerability Scoring System (CVSS) standard system. Microsoft released initial patches on August 11. It is crucial to install them immediately.
A flaw in the Microsoft Netlogon Remote Protocol (MS-NRPC) authentication mechanism implemented by AD and its supporting services, using RPC tcp (including http) and port 135 (SMB), enables attackers to reset the domain controller’s computer password. This allows attackers to impersonate the domain controller itself and execute remote procedure calls (RPC) on its behalf.
Exploits taking advantage of the bug were recently published and attackers have begun scanning for and compromising vulnerable systems. Exploitable DC vulnerabilities can result in the compromise of an entire fleet of managed devices. Domain admins are advised to follow Microsoft mitigation guidance urgently.
Guidance
- Patch your domain controllers now. Microsoft has released patches and guidance addressing the vulnerability and how to mitigate against attacks.
- Modify this script CVE-2020-1472EventReader.ps1 to detect this attack.
- The initial patches (released August 11) will enforce a secure MS-NRPC with Netlogon secure channel between member computers and Active Directory (AD) domain controllers (DC), and generate Windows Event Logs for non-compliant clients to be further updated or mitigated.
- Configure Samba to enforce a secure netlogon channel.
- On February 9, 2021, Microsoft will begin enforcing the secure channel for all devices connecting to a DC not specified in a special exception group.
- Administrators are encouraged to enable the extra protections offered by the enforcement mode before Microsoft makes it mandatory, and may do so through updating a registry key via group policy. (Contact ciso@uw.edu for a GPO available in the NetID domain; use subject line GPO.)
References
CVE-2020-1472
Netlogon Elevation of Privilege Vulnerability
Microsoft support
How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472
Secura blog post
Zerologon: instantly become domain admin by subverting Netlogon cryptography (CVE-2020-1472)
Threatpost
Windows Exploit Released For Microsoft ‘Zerologon’ Flaw
The Samba Bugzilla
Samba impact of “ZeroLogon”
Mimikatz tool video on github:
https://github.com/gentilkiwi/mimikatz/releases/tag/2.2.0-20200917