CVE-2020-1472 “Zerologon”: targeting corporate networks

Microsoft adopted a very low-key approach to its August fix for what was one of the most serious bugs ever reported to the company. Its severity was confirmed by the CVSSv3, which assigned the vulnerability a maximum score of 10/10. With this CVE-2020-1472 vulnerability, now also known as Zerologon, an attacker can change the password of any Active Directory account – including a domain administrator account – from a user workstation.

 

Having taken ownership of a domain administrator account, the attacker can then take control of Windows servers on corporate networks. This vulnerability is all the more dangerous because a successful attack requires an average of 256 attempts – the equivalent of less than 3 seconds.

The patch was published by Microsoft on Patch Tuesday in August, describing the bug as a privilege escalation issue in the Netlogon protocol.

 

Details about the CVE-2020-1472 vulnerability

The exploit is mainly based on the use of the DCERPC RPC_NETLOGON_UUID (12345678-1234-abcd-ef00-01234567cffb) interface with two methods – NetrServerReqChallenge (opnum 4) and NetrServerAuthenticate3 (opnum 26) in which the Client Challenge and Client Credential fields are both set to “0000000000000000”.

Although by this point the attacker has already succeeded in bypassing the authentication step, they still do not have the session key – because of the Netlogon transport encryption mechanism (Signing and Sealing). To overcome this obstacle, the attacker must ensure that “Supports Secure RPC and AES & SHA2 encryption” has been disabled via NetrServerAuthenticate3. In this case, after several attempts (256 on average), the attacker can recover the session key and be authenticated by AD.

This vulnerability has already been the subject of a detailed technical report by Dutch security company Secura BV, as well as a POC produced by Spanish company BlackArrow.

 

Threat management with Stormshield Network Security

Blocking of RPC_NETLOGON_UUID in the DCERPC protocol

It is possible to block the use of RPC_NETLOGON_UUID by configuring the DCERPC protocol. However, this will affect all use cases for the Netlogon protocol that involve resetting passwords or backing up AD’s user database.

This workaround should therefore be considered only on a very temporary basis, while remaining aware of the issues it causes, in anticipation of Microsoft’s official patches and the signature-based protection described below.

IPS signature attack detection

The “DCERPC: Microsoft Netlogon remote protocol vulnerability (CVE-2020-1472)” protection signature with the ID “dcerpc:request:data:9” has been deployed and made available to our customers. It provides protection against the Zerologon cyberattack

It is configured by default as “Pass” and must therefore be set to “Block” to stop attempted attacks. Also make sure that your filtering rules authorising DCERPC flows activate IPS analysis to ensure that you benefit from this protection.

 

Threat management with Stormshield Endpoint Security

Because the attack is based on a failure to implement the encryption of secrets in network exchanges between the workstation and the server, and no files or modifications of the workstation configuration are involved, the SES solution does not offer protection against attacks that exploit this vulnerability.

 

Stormshield recommendations

The main recommendation at this point is to apply the patch provided by Microsoft to your domain controllers as soon as possible. You can also find a list of vulnerable versions and how to patch them.

Lastly, as the vulnerability is fairly old, it is advisable to change the domain administrators’ passwords and carry out an audit of your domain’s accounts (check changes made and accounts created).

Share on

About the author

mm
Julien Paffumi
Product Management Leader, Stormshield

Julien made his first foray into Arkoon’s R&D as a quality engineer. He then directly trained administrators and acquired broad knowledge of their needs – an invaluable experience for his next role as Product Manager of Arkoon Fast360 firewalls, and then of the Stormshield Management Center centralised administration console. Eager to share what he has learned, Julien now works in continuous improvement for Product Management at Stormshield as a Product Management Leader. This cross-cutting role also feeds his never-ending curiosity thanks to its broader approach to Stormshield solutions.