What is the potential impact of CVE-2020-1472?

The successful exploitation of CVE-2020-1472 allows an attacker to impersonate any computer on the network, disable security features that protect the Netlogon process, and change a computer’s password associated with its Active Directory account.

What does an attacker need to exploit Zerologon?

In order to exploit Zerologon an attacker needs to be on the network. The attacker can gain access to networks by multiple means such as phishing, drive-by exploits, or additional means.

What event ids are enabled once the August 2020 patch is installed on a domain controller?

The following event ids are enabled once the August 2020 patch is installed on a Domain Controller: Log event IDs 5827 and 5828 log when a connection has been denied to the domain controller once enforcement mode has been enabled. , Log event IDs 5830 and 5831 log when a connection is allowed by the “Domain controller: Allow vulnerable Netlogon secure channel connections” group policy. , Log event IDs 5829 logs whenever a vulnerable Netlogon secure channel connection is allowed for both Windows and Non-Windows devices.

What actions can I take to protect my devices from the Zerologon Vulnerability?

deepwatch recommends taking the following actions in vulnerable environments to assist in further protecting devices: Action 1: Patch all systems with Microsoft’s August 2020 security updates and verify the successful installation with a vulnerability scanning tool, such as those from Qualys or Tenable, and your organization’s patch management tools. , Action 2: Enabling forwarding to SIEM devices or monitoring event id 5829 and monitoring for devices that are not utilizing a secure Netlogon. If a device is detected with event id 5829 recommended steps by Microsoft are as follows: Windows Systems , – Confirm the device(s) are running supported versions of Windows , – Ensure the system is fully updated. , – Check to ensure that Domain member: digitally encrypt or sign secure channel data (always) is set to enabled. , For non-windows systems acting as a Domain Controller and an event is logged , – Ensure the non-compliant DC supports secure RPC with Netlogon secure channel then enable secure RPC on the DC. , – If the non-compliant DC does not support RPC then the device manufacturer (OEM) or software vendor will need to update in order to support secure RPC with Netlogon secure channel. , – Remove the non-compliant DC. , If a non-compliant DC cannot support the RPC with Netlogon secure channel before the DCs are in enforcement mode, add the DC using the “Domain controller: allow vulnerable Netlogon secure channel connections” group policy. Further information on this action can be found at the following location on Microsoft’s site: , https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc , Action 3: Enable DC enforcement mode after confirming all devices are compliant and will not break as a result of enabling. It should be noted the patch to be released February 9th, 2021 will automatically enable enforcement mode on Domain Controllers.

10.14.20

Bad Neighbor Vulnerability

By Dave Farquhar

In the October monthly security rollups, Microsoft fixed two major issues in IPv6 ICMP protocol. One that can lead to remote code execution (CVE-2020-16898) and another that can lead to denial of service (CVE-2020-16899). All versions of Windows 10 and Windows Server 2019 are affected. Security vendor McAfee has dubbed the flaw the “Bad Neighbor Vulnerability.”

Impacted versions of Windows contain the tcpip.sys driver which has a buffer overflow in the handling of the Recursive DNS Server option. This allows an attacker to run code on a system, or take the system offline. Attack patterns are similar to the ping of death attacks of the 1990s. There is proof of concept code in circulation, and it has a CVSS score of 9.8.

Note that IPv4 is not affected.

The existing proof of concept code can blue screen the system, rather than executing arbitrary code. Code execution is theoretically possible but will take longer for attackers to develop.

What is the potential impact of CVE-2020-16898 and CVE-2020-16899?

The successful exploitation of CVE-2020-16898 allows an attacker to execute code remotely via a specially crafted IPv6 ICMP packet. Additionally, CVE-2020-16899, fixed in the same update, fixes a denial of service condition in IPv6.

What does an attacker need to exploit the Bad Neighbor Vulnerability?

In order to exploit the Bad Neighbor Vulnerability, an attacker needs to be on the same network with the intended targets, though this could be any device that is capable of pinging such as a mobile device. This is a larger concern on publicly facing Windows servers. To attack workstations on your internal network, an attacker would first have to gain access via phishing, drive-by exploits, or additional means.

Bad Neighbor Vulnerability Mitigation

Microsoft released the security update in October 2020 and recommended customers patch as soon as possible.

A mitigation exists in lieu of patching. From a command prompt, issue the following command:

netsh int ipv6 set int *INTERFACENUMBER* rabaseddnsconfig=disable

The easiest way to get the interface number is to execute the command route print from a command line. The interface numbers will appear in the left column and should be inserted where *INTERFACENUMBER* is documented in the mitigation.

Note that the mitigation must be applied to every interface. It should be noted that most servers have multiple wired interfaces. Laptops have both wired and wireless interfaces. A system can have virtual interfaces that may or may not share an ID with a physical interface.

The mitigation does not require a reboot. Since the interface numbers vary from machine to machine, the mitigation may be difficult to deploy at scale.

Deepwatch recommends performing the mitigation as quickly as possible and scheduling the update through your normal testing and deployment process.

Detecting CVE-2020-16898 and CVE-2020-16899

Vulnerability Management:

Qualys has released a detection as follows:
- 91686 – Microsoft Windows TCP/IP Remote Code Execution Vulnerability
Tenable plugins include:
- 141420 – KB4580328: Windows 10 Version 1709 October 2020 Security Update
- 141433 – KB4577668: Windows 10 Version 1809 and Windows Server 2019 October 2020 Security Update
- 141422 -KB4580330: Windows 10 Version 1803 October 2020 Security Update
- 141423 – KB4579311: Windows 10 Version 2004 October 2020 Security Update
- 141427 – KB4577671: Windows 10 Version 1903 and Windows 10 Version 1909 October 2020 Security Update

These detections are likely to require an authenticated scan to work properly. At time of writing this report, the detections do not appear to pick up the mitigation factors but are expected to change in later releases.

Deepwatch customers should contact their vulnerability management engineer for assistance in identifying vulnerable systems.

Deepwatch Managed Detection and Response (MDR), Endpoint Detection and Response (EDR), and Firewall teams will monitor for any additional detections or alerting that can be put in place to notify customers of potential exposure or attacks from this vulnerability.