Proof-of-concept (PoC) exploitation code is available for a critical privilege elevation vulnerability (CVE-2020-1472) in the Microsoft Netlogon Remote Protocol (MS-NRPC). This vulnerability, which has been dubbed `Zerologon,` occurs when establishing a secure channel connection to a domain controller. Microsoft released the first of two security updates to address this issue in August 2020.
Exploitation could allow an unauthenticated remote attacker on the local network to gain domain administrator privileges on vulnerable systems. Our security partners, Secureworks(R) have observed exploit attempts in Secureworks client telemetry, although this traffic may be due to internal testing and not malicious activity.
Recommended actions:
Secureworks recommend that clients review and apply updates as appropriate in their environments as soon as possible. The initial security update does not fully remediate this issue, so clients should monitor logs until the second update is released in the February 2021 `enforcement phase.` For additional details, clients should review the supplemental Microsoft guidelines referenced in the advisory.
Questions:
If you have any questions or concerns about this advisory, please contact the team on support@empsn.org.uk
References:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472
https://www.secura.com/pathtoimg.php?id=2055
https://github.com/dirkjanm/CVE-2020-1472https://portal.secureworks.com/portal/intel/tip/8603