Prior to August 2020, Secura BV security researcher Tom Tervoort discovered a flaw in the way Windows encrypts its authentication sessions with its domain controllers. Microsoft quietly patched this vulnerability in its August 2020 security rollup, under the guise of Netlogon patch. In mid-September, Secura disclosed the details of CVE-2020-1472, which has a CVSS score of 10 out of 10 and is already rated high with various threat intelligence vendors known to deepwatch. There is proof of concept code in circulation.

The vulnerability allows an attacker who must have access to the target domain controller, to take over a Windows domain controller quickly, giving the attacker full control of the domain, including the ability to steal credentials from individual Windows accounts. The Zerologon name comes from the way the cryptographic flaw works, by adding zeros to certain parameters in Netlogon.

What is the potential impact of CVE-2020-1472?

The successful exploitation of CVE-2020-1472 allows an attacker to impersonate any computer on the network, disable security features that protect the Netlogon process, and change a computer’s password associated with its Active Directory account.

What does an attacker need to exploit Zerologon?

In order to exploit Zerologon an attacker needs to be on the network. The attacker can gain access to networks by multiple means such as phishing, drive-by exploits, or additional means.




Mitigation

Microsoft released the Zerologon security update in August 2020 and recommended customers to patch as soon as possible. Upon deploying the August 2020 updates organizations are given the option to enable Domain Controller (DC) enforcement mode on their devices prior to the Q1 2021 update, though this is expected to cause issues to systems that do not use a secure Netlogon channel and could require updates by OEM manufacturer to their software or hardware, and additionally added an event id, 5829, that can detect systems utilizing vulnerable Netlogon secure communication channels.

At this time Microsoft has no mitigations outside of patching, enabling enforcement mode, and/or detection events on multiple event ids (5827 through 5831). For non-windows systems, acting as a Domain Controller (DC) it is recommended the system event logs for vulnerable Netlogon secure channel connections.

What event ids are enabled once the August 2020 patch is installed on a domain controller?

The following event ids are enabled once the August 2020 patch is installed on a Domain Controller:

  • Log event IDs 5827 and 5828 log when a connection has been denied to the domain controller once enforcement mode has been enabled.
  • Log event IDs 5830 and 5831 log when a connection is allowed by the “Domain controller: Allow vulnerable Netlogon secure channel connections” group policy.
  • Log event IDs 5829 logs whenever a vulnerable Netlogon secure channel connection is allowed for both Windows and Non-Windows devices.

What actions can I take to protect my devices from the Zerologon Vulnerability?

deepwatch recommends taking the following actions in vulnerable environments to assist in further protecting devices:

Action 1:
Patch all systems with Microsoft’s August 2020 security updates and verify the successful installation with a vulnerability scanning tool, such as those from Qualys or Tenable, and your organization’s patch management tools.

Action 2:
Enabling forwarding to SIEM devices or monitoring event id 5829 and monitoring for devices that are not utilizing a secure Netlogon.

If a device is detected with event id 5829 recommended steps by Microsoft are as follows:

Windows Systems

– Confirm the device(s) are running supported versions of Windows.

– Ensure the system is fully updated.

– Check to ensure that Domain member: digitally encrypt or sign secure channel data (always) is set to enabled.

For non-windows systems acting as a Domain Controller and an event is logged

– Ensure the non-compliant DC supports secure RPC with Netlogon secure channel then enable secure RPC on the DC.

– If the non-compliant DC does not support RPC then the device manufacturer (OEM) or software vendor will need to update in order to support secure RPC with Netlogon secure channel.

– Remove the non-compliant DC.

If a non-compliant DC cannot support the RPC with Netlogon secure channel before the DCs are in enforcement mode, add the DC using the “Domain controller: allow vulnerable Netlogon secure channel connections” group policy.

Further information on this action can be found at the following location on Microsoft’s site:

https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc

Action 3:
Enable DC enforcement mode after confirming all devices are compliant and will not break as a result of enabling.

It should be noted the patch to be released February 9th, 2021 will automatically enable enforcement mode on Domain Controllers.

Detection

Vulnerability Management:

  • Qualys has released QID 91668 to detect this vulnerability. It is best used in conjunction with QID 45022 to confirm a system is a domain controller.
  • Tenable has released a total of 5 plugins to detect this vulnerability. You can find the specific plugin IDs at https://www.tenable.com/plugins/search?q=%22CVE-2020-1472%22. Use them in conjunction with plugin 10413 to confirm the system is a domain controller.

Note these detections require an authenticated scan to work properly.

An additional detection is to review event id 5829 to find systems utilizing vulnerable Netlogon connections. If the event ID 5829 does not log, it could indicate the August 2020 patch has not been correctly deployed or a configuration change is required.

Supporting information

Subscribe to the deepwatch Insider Blog