What is the potential impact of CVE-2020-1472?

The successful exploitation of CVE-2020-1472 allows an attacker to impersonate any computer on the network, disable security features that protect the Netlogon process, and change a computer’s password associated with its Active Directory account.

What does an attacker need to exploit Zerologon?

In order to exploit Zerologon an attacker needs to be on the network. The attacker can gain access to networks by multiple means such as phishing, drive-by exploits, or additional means.

What event ids are enabled once the August 2020 patch is installed on a domain controller?

The following event ids are enabled once the August 2020 patch is installed on a Domain Controller: Log event IDs 5827 and 5828 log when a connection has been denied to the domain controller once enforcement mode has been enabled. , Log event IDs 5830 and 5831 log when a connection is allowed by the “Domain controller: Allow vulnerable Netlogon secure channel connections” group policy. , Log event IDs 5829 logs whenever a vulnerable Netlogon secure channel connection is allowed for both Windows and Non-Windows devices.

What actions can I take to protect my devices from the Zerologon Vulnerability?

deepwatch recommends taking the following actions in vulnerable environments to assist in further protecting devices: Action 1: Patch all systems with Microsoft’s August 2020 security updates and verify the successful installation with a vulnerability scanning tool, such as those from Qualys or Tenable, and your organization’s patch management tools. , Action 2: Enabling forwarding to SIEM devices or monitoring event id 5829 and monitoring for devices that are not utilizing a secure Netlogon. If a device is detected with event id 5829 recommended steps by Microsoft are as follows: Windows Systems , – Confirm the device(s) are running supported versions of Windows , – Ensure the system is fully updated. , – Check to ensure that Domain member: digitally encrypt or sign secure channel data (always) is set to enabled. , For non-windows systems acting as a Domain Controller and an event is logged , – Ensure the non-compliant DC supports secure RPC with Netlogon secure channel then enable secure RPC on the DC. , – If the non-compliant DC does not support RPC then the device manufacturer (OEM) or software vendor will need to update in order to support secure RPC with Netlogon secure channel. , – Remove the non-compliant DC. , If a non-compliant DC cannot support the RPC with Netlogon secure channel before the DCs are in enforcement mode, add the DC using the “Domain controller: allow vulnerable Netlogon secure channel connections” group policy. Further information on this action can be found at the following location on Microsoft’s site: , https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc , Action 3: Enable DC enforcement mode after confirming all devices are compliant and will not break as a result of enabling. It should be noted the patch to be released February 9th, 2021 will automatically enable enforcement mode on Domain Controllers.

11.04.20

Vulnerability SPOT Report

Oracle WebLogic Vulnerability

By Greg Alexander

Oracle has released an out of band patch for vulnerability CVE-2020-14750. It has been given a 9.8 out of 10 base score on CVSS 3.1. The high CVSS score is due to the vulnerability being able to be remotely exploited without credentials.

Details of the flaw were not disclosed. The vulnerability appears to be in the Console of the Oracle WebLogic Server and can be exploited via the HTTP network protocol. Attacks are similar to CVE-2020-14882, for which Oracle released a patch in October of 2020, that does not require user interaction and can be exploited remotely through networks without the need for a username or password.

Oracle has stated that the vulnerability “is related to” CVE-2020-14882, which is another remote code-execution flaw in WebLogic Servers that Oracle patched in the October 2020 release. However, security professionals have pointed out that a patched CVE-2020-14882 could be bypassed by merely changing the case of a character in the request by sidestepping the path-traversal blacklist that was implemented to block the flaw

What is the Potential Impact?

An unspecified vulnerability exists in the Core component of WebLogic Servers. Unauthenticated attackers that have network access via HTTP can exploit the server and take over the Oracle WebLogic Server.

The following versions of Oracle WebLogic are vulnerable:

10.3.6.0.0
12.1.3.0.0
12.2.1.3.0
12.2.1.4.0
14.1.1.0.0

Oracle believes that older versions are also vulnerable and recommends customers to update to a support version of Oracle WebLogic.