top of page

Mitigating CVE-2020-1472: Zerologon Vulnerability in Windows Domain Controllers

CVE Image for report on CVE-2020-1472

Executive Summary

CVE-2020-1472, widely known as Zerologon, is a critical elevation of privilege vulnerability in the Netlogon Remote Protocol (MS-NRPC) used by Windows domain controllers. This vulnerability allows an unauthenticated attacker to establish a vulnerable Netlogon secure channel connection to a domain controller, potentially gaining domain administrator access. The sectors and countries targeted by APT groups leveraging this vulnerability include government, healthcare, finance, and critical infrastructure sectors across the United States, Europe, and Asia.

Technical Information

CVE-2020-1472 is a critical vulnerability with a CVSS v3.1 Base Score of 10.0, indicating its high severity. The vulnerability arises from the insecure usage of AES-CFB8 encryption for Netlogon sessions. An attacker can exploit this flaw by sending a series of specially crafted Netlogon messages to a domain controller, which allows them to impersonate any computer, including the domain controller itself. This can lead to a complete domain takeover.

The vulnerability affects multiple versions of Microsoft Windows Servers including Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019. Additionally, various versions of Samba and certain Linux distributions such as Red Hat Enterprise Linux 6, 7, and 8, as well as Ubuntu Linux 14.04 ESM Edition, are also impacted.

The exploitation process involves the attacker sending a series of Netlogon messages with zeroed-out fields, which bypasses the cryptographic protections of the Netlogon protocol. This allows the attacker to establish a secure channel to the domain controller and subsequently change the domain controller's password, effectively gaining administrative control over the domain.

Exploitation in the Wild

The Zerologon vulnerability has been actively exploited in the wild. Attackers have used this vulnerability to gain unauthorized access to domain controllers, steal domain credentials, and propagate malware across networks. Notable incidents include:

  • APT Groups: Various Advanced Persistent Threat (APT) groups, such as APT29 (Cozy Bear), have been observed leveraging Zerologon in their campaigns to escalate privileges within targeted networks.
  • Ransomware Attacks: Several ransomware groups have incorporated Zerologon into their attack chains to facilitate lateral movement and escalate privileges.

Indicators of Compromise (IOCs) for this vulnerability include unusual Netlogon traffic, unauthorized access attempts to domain controllers, and unexpected changes in domain controller configurations.

APT Groups using this vulnerability

APT29 (Cozy Bear), a well-known Russian cyber espionage group, has been observed exploiting the Zerologon vulnerability to escalate privileges within targeted networks. This group primarily targets government, healthcare, finance, and critical infrastructure sectors across the United States, Europe, and Asia. Other APT groups have also been reported to leverage this vulnerability in their campaigns, highlighting the widespread and critical nature of this threat.

Affected Product Versions

The following product versions are affected by CVE-2020-1472:

Microsoft Windows Servers: Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019

Samba: Versions before 4.8

Linux Distributions: Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8, Ubuntu Linux 14.04 ESM Edition

Workaround and Mitigation

Microsoft has addressed the vulnerability through a phased rollout of updates. The first phase involved modifying how Netlogon handles secure channels, and the second phase, completed in Q1 2021, enforced these changes.

Specific recommendations include:

  1. Apply Patches: Ensure all domain controllers are updated with the latest security patches provided by Microsoft. Refer to the Microsoft Security Advisory at https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472 for detailed guidance.
  2. Monitor Network Traffic: Implement network monitoring to detect unusual Netlogon traffic, which may indicate exploitation attempts.
  3. Restrict Access: Limit access to domain controllers and ensure only trusted devices can communicate with them over the network.

References

  • NVD - CVE-2020-1472: https://nvd.nist.gov/vuln/detail/cve-2020-1472
  • Microsoft Security Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472
  • CrowdStrike Blog on Zerologon: https://www.crowdstrike.com/blog/cve-2020-1472-zerologon-security-advisory/
  • Tenable Blog on Zerologon: https://www.tenable.com/blog/cve-2020-1472-zerologon-vulnerability-in-netlogon-could-allow-attackers-to-hijack-windows
  • Vicarius Technical Deep Dive: https://www.vicarius.io/vsociety/posts/zerologon-cve-2020-1472-technical-deep-dive-into-a-critical-windows-authentication-vulnerability-1
  • Trend Micro Overview: https://www.trendmicro.com/en_us/what-is/zerologon.html

Rescana is here for you

At Rescana, we understand the critical nature of vulnerabilities like CVE-2020-1472 and the importance of timely and effective mitigation. Our Continuous Threat and Exposure Management (CTEM) platform helps organizations identify, assess, and remediate vulnerabilities in real-time, ensuring robust protection against emerging threats. We are committed to providing our customers with the tools and insights needed to safeguard their digital assets. If you have any questions about this report or any other issue, please contact us at ops@rescana.com.

6 views0 comments

Comments

Rated 0 out of 5 stars.
No ratings yet

Add a rating
bottom of page