CVE-2020-1472 is a privilege elevation vulnerability in the Netlogon Remote Protocol (MS-NRPC) for which a partial patch was released by Microsoft on the 11 August 2020. On September 14, the Cyber security and Infrastructure Security Agency (CISA) addressed their awareness of the ZeroLogon exploit code. The Common Vulnerability Scoring System (CVSS) had given it a severity score of 10/10. it became a large problem for organisations with slower or less organised patch management processes due to how quickly it was weaponsised.
The flaw was discovered by Secura researchers, who responsibly disclosed the flaw to Microsoft who then published additional details a few days later, but just a few hours later several PoC exploit/tools were then been published on GitHub for the world to see which were then used to target other firms.
CVE-2020-1472 (aka Zerologon) affects all supported Windows Server versions, but the risk is increased for domain controllers in enterprise networks. The vulnerability stems from a flaw in a cryptographic authentication scheme used by the Netlogon Remote Protocol.
This attack works by sending a number of Netlogon messages in which various fields are filled with zeroes, an attacker can change the computer password of the domain controller that is stored in Active Directory. This can then be used to obtain domain admin credentials and then restore the original DC password.
Attackers commonly use public red-teaming tools to facilitate this attack, such as the use of Cobalt Strike for command and control (C2). This attack allows any attacker on the local network to completely compromise the Windows domain. What makes this attack so significant is that the attack is completely unauthenticated, as in to say the attacker does not need any user credentials.
Another attack vector from this vulnerability is that it could be used to deploy ransomware and maintain a persistent presence if cleanup and restoration efforts miss any additional malicious scripts.
The Netlogon Remote Protocol is a RPC service that is used exclusively by domain-joined devices. These services typically follow the same methods of encryption for authentication however, Netlogon is unique in that it does not use the same encryption for authentication in comparison to the other similar services. As a result, this vulnerability is only unique to the NetLogon function.
What makes Zerlogon dangerous is the ability to take advantage of the way that encryption was used throughout authentication.
The first phase sees the attacker establish an insecure Netlogon channel against a domain controller by performing a brute-force attack using an 8 zero-bytes challenge and cipher text, while spoofing the identity of that same domain controller. This would require an average of 256 attempts (given the probability of success being 1 in 256).
The next step requires the attacker to call the NetrServerPasswordSet2 method to set the domain controller account’s password, as stored in Active Directory, to an empty one. This breaks some of the domain controller functionality, since the password stored in the domain controller’s registry does not change.
Once the password has been removed the attacker connects to that same domain controller and dumps additional hashes using the Domain Replication Service (DRS) protocol. It is at this point the attacker reverts the domain controller password to the original one as stored in the local registry to avoid detection.
The hashes dumped from this attack can be used to perform any desired attack, such as Golden Ticket or pass the hash using domain administrator credentials to access any device on the network.
The vulnerability was patched in August 2020, and it wasn’t until a researcher published a report about the vulnerability in September that people started to see the exploit used in malicious activity.
In late October, Microsoft warned that threat actors were actively exploiting systems that were unpatched against ZeroLogon privilege escalation. In November Microsoft also added detection rules to Microsoft Defender to “detect adversaries as they try to exploit this vulnerability against your domain controllers.” The general advice is to use Secure RPC to prevent these attacks. Secure RPC is an authentication method that authenticates both the host and the user who is making a request for a service. Secure RPC uses the Diffie-Hellman authentication mechanism, which uses DES encryption rather than AES-CFB8.
Systems that have received the patch released in August are safe from attack, as it enforces secure NRPC for all Windows servers and clients in the domain. All Active Directory domain controllers should be updated, including read-only domain controllers.
“The updates will enable the Domain Controllers (DCs) to protect Windows devices by default, log events for non-compliant device discovery, and have the option to enable protection for all domain-joined devices with explicit exceptions,” Microsoft explained. But complete remediation will happen after organizations deploy Domain Controller (DC) enforcement mode, which requires all Windows and non-Windows devices to use secure NRPC or to explicitly allow the account by adding an exception for any non-compliant device.
While organizations can deploy DC enforcement mode immediately by enabling specific registry key, on February 9, 2021, DCs will be placed in enforcement mode automatically.
This phased roll out is due to the fact that there are many non-Windows device implementations of the Netlogon Remote Protocol, and vendors of non-compliant implementations have been given enough time to provide customers with the needed updates.