Microsoft adopted a very low-key approach to its August fix for what was one of the most serious bugs ever reported to the company. Its severity was confirmed by the CVSSv3, which assigned the vulnerability a maximum score of 10/10. With this CVE-2020-1472 vulnerability, now also known as Zerologon, an attacker can change the password of any Active Directory account – including a domain administrator account – from a user workstation.
Having taken ownership of a domain administrator account, the attacker can then take control of Windows servers on corporate networks. This vulnerability is all the more dangerous because a successful attack requires an average of 256 attempts – the equivalent of less than 3 seconds.
The patch was published by Microsoft on Patch Tuesday in August, describing the bug as a privilege escalation issue in the Netlogon protocol.
Details about the CVE-2020-1472 vulnerability
The exploit is mainly based on the use of the DCERPC RPC_NETLOGON_UUID (12345678-1234-abcd-ef00-01234567cffb) interface with two methods – NetrServerReqChallenge (opnum 4) and NetrServerAuthenticate3 (opnum 26) in which the Client Challenge and Client Credential fields are both set to “0000000000000000”.
Although by this point the attacker has already succeeded in bypassing the authentication step, they still do not have the session key – because of the Netlogon transport encryption mechanism (Signing and Sealing). To overcome this obstacle, the attacker must ensure that “Supports Secure RPC and AES & SHA2 encryption” has been disabled via NetrServerAuthenticate3. In this case, after several attempts (256 on average), the attacker can recover the session key and be authenticated by AD.
Threat management with Stormshield Network Security
Blocking of RPC_NETLOGON_UUID in the DCERPC protocol
It is possible to block the use of RPC_NETLOGON_UUID by configuring the DCERPC protocol. However, this will affect all use cases for the Netlogon protocol that involve resetting passwords or backing up AD’s user database.
This workaround should therefore be considered only on a very temporary basis, while remaining aware of the issues it causes, in anticipation of Microsoft’s official patches and the signature-based protection described below.
IPS signature attack detection
The “DCERPC: Microsoft Netlogon remote protocol vulnerability (CVE-2020-1472)” protection signature with the ID “dcerpc:request:data:9” has been deployed and made available to our customers. It provides protection against the Zerologon cyberattack
It is configured by default as “Pass” and must therefore be set to “Block” to stop attempted attacks. Also make sure that your filtering rules authorising DCERPC flows activate IPS analysis to ensure that you benefit from this protection.
Threat management with Stormshield Endpoint Security
Because the attack is based on a failure to implement the encryption of secrets in network exchanges between the workstation and the server, and no files or modifications of the workstation configuration are involved, the SES solution does not offer protection against attacks that exploit this vulnerability.
The main recommendation at this point is to apply the patch provided by Microsoft to your domain controllers as soon as possible. You can also find a list of vulnerable versions and how to patch them.
Lastly, as the vulnerability is fairly old, it is advisable to change the domain administrators’ passwords and carry out an audit of your domain’s accounts (check changes made and accounts created).