Security vulnerability: Microsoft Windows Server "Zerologon" (CVE-2020-1472)

What does this vulnerability mean?

On 11 September 2020, detailed technical information about a critical vulnerability in Microsoft Windows (CVSS 10) was published. On 11 September 2020, detailed technical information was published about a critical vulnerability in Microsoft Windows (CVSS 10) that was included in Microsoft's August 2020 update set and appears to affect all currently supported Windows Servers (2008 R2 and later).

When originally announced in August, the vulnerability was given the official designation CVE-2020-1472, but not many details about the vulnerability itself were released.

It is known that this vulnerability, now known as "Zerologon", can allow an attacker to exploit the cryptographic algorithm used in the Netlogon authentication process and impersonate the identity of an arbitrary computer when attempting to authenticate to the domain controller. From there, a variety of other attacks are possible, including but not limited to disabling security features, changing passwords, and essentially taking over the domain.

The entire attack, as shown, is very fast and can be executed in about 3 seconds, so it can be very dangerous.

‍

What are short-term protection measures?

What can you do to protect yourself in the short term - we have researched the most important points:

All affected systems should be patched immediately with the latest security update from Microsoft.
Network access (both physical and remote) should be carefully guarded. The vulnerability can only be exploited remotely, so the attacker must first gain access by other means.
If Deep Security or TippingPoint is in use, use the IPS rule / Filter:

Rule 1010519 - Microsoft Windows Netlogon Elevation of Privilege Vulnerability (CVE-2020-1472)
Filter 38166: MS-NRPC: Microsoft Windows Netlogon Zerologon Authentication Bypass Attempt

If you have any questions, please contact us.

‍

Source: Trend Micro, Microsoft