17/09/2020

Windows ‘Zerologon’ Vulnerability CVE-2020-1472

Proof-of-concept (PoC) exploitation code is available for a critical privilege elevation vulnerability (CVE-2020-1472) in the Microsoft Netlogon Remote Protocol (MS-NRPC). This vulnerability, which has been dubbed `Zerologon,` occurs when establishing a secure channel connection to a domain controller. Microsoft released the first of two security updates to address this issue in August 2020.

Exploitation could allow an unauthenticated remote attacker on the local network to gain domain administrator privileges on vulnerable systems. Our security partners, Secureworks(R) have observed exploit attempts in Secureworks client telemetry, although this traffic may be due to internal testing and not malicious activity.

Recommended actions:

Secureworks recommend that clients review and apply updates as appropriate in their environments as soon as possible. The initial security update does not fully remediate this issue, so clients should monitor logs until the second update is released in the February 2021 `enforcement phase.` For additional details, clients should review the supplemental Microsoft guidelines referenced in the advisory.

Questions:

If you have any questions or concerns about this advisory, please contact the team on support@empsn.org.uk

References:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472

https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc

https://www.secura.com/pathtoimg.php?id=2055

https://github.com/dirkjanm/CVE-2020-1472https://portal.secureworks.com/portal/intel/tip/8603

Keeping Up To Date With Us Is Easy, Sign Up To Our Newsletter Today!

Stay in touch with emPSN, so that you get the latest e-safety advice and invites to our community events.

Our partners