Domain Controllers Are At Risk With Zerologon
Posted on September 22, 2020 by Aaron Miller

Back in August of 2020, a pretty big bug/vulnerability was being addressed by Microsoft with a 2-phase deployment. The first as a temporary fix and the second coming this February (2021) to wrap it up. The bug has gathered popularity due to code that demonstrates how to exploit unpatched systems has been released into the public domain.

This bug scores a 10 out of 10 on CVSS. It’s time to make sure your domain controllers are up-to-date with patches. Here some of the technical details on CVE-2020-1472 , also known as Zerologon:

  • An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network.
  • To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access.
  • Microsoft is addressing the vulnerability in a phased two-part rollout. These updates address the vulnerability by modifying how Netlogon handles the usage of Netlogon secure channels.

What does this mean?

Someone with nefarious intent could leverage the flaw in the Netlogon Remote Protocol. This flaw would allow the attacker to impersonate any computer (including your domain controllers), to execute code or applications on the impersonated system’s behalf.

How can I address this?

Start with ensuring your domain controllers are up-to-date with patching. Microsoft has released a roadmap and steps to help you on your way in phases. The support article can be found HERE.

Mitigation consists of installing the update on all DCs and RODCs, monitoring for new events, and addressing non-compliant devices that are using vulnerable Netlogon secure channel connections. If you need assistance with patching or installing updates please contact the EDCi Technical Support Services Center at (800) 332-3553 or Support@edci.com.