As part of its August monthly update, Microsoft has applied a temporary patch to a critical elevation of privilege flaw which can be exploited by attackers to take over Windows Servers running as domain controllers, as well as host computers in enterprise networks.

Tracked as CVE-2020-1472 (with a CVSS score of 10.0), also dubbed as Zerologon and Netlogon Elevation of Privilege Vulnerability, is an elevation of privilege vulnerability that exists when an unauthenticated attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). The flaw takes advantage of a weak cryptographic algorithm used in the Netlogon authentication process, the protocol that authenticates users against domain controllers. In order to perform the Zerologon attack, an attacker first needs to have a foothold inside a network. However, once the condition is met, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access. Once successful, it can allow threat actors to manipulate Netlogon authentication procedures and impersonate the identity of any computer connected to a network when trying to authenticate against the domain controller, disable security features in the Netlogon authentication process, and even change a computer’s password on the domain controller’s Active Directory.

As of this writing, a weaponized proof-of-concept (POC) code has been published and is publicly available, meaning that exploitation of the flaw can occur at vulnerable systems. In a hypothetical attack, one could leverage this vulnerability to spread malware throughout an organization and maintain a persistent presence.

The second phase of the patch is scheduled to be implemented in February 2021 for further elimination of the vulnerability.

Affected Systems:

  • Windows Server version 1903, 1909, and 2004
  • Windows Server 2008 R2 for x64-based Systems Service
  • Windows Server 2012 to 2019

CERT-PH recommends the following actions be taken:
Immediately test and apply the corresponding patched versions of the affected system from the August Patch Tuesday update published by Microsoft and anticipate for the second phase of the patch to fully address the issue.
( e/advisory/CVE-2020-1472)