Cybersecurity Threat Intelligence

Cybersecurity Announcement: Exploits in the wild for CVE-2020-1472 / Zerologon

Posted: 2020-11-19 16:45:48   Expiration: 2020-11-26 22:45:48

Disclaimer: This news item was originally posted on 2020-11-19 16:45:48. Its content may no longer be timely or accurate.

Cybersecurity is tracking a dramatic increase in the number and sophistication of publicly available proof-of-concept exploits circulating in the security research community this week. While we have yet to see a confirmed report of Zerologon being used in a malicious attack, we believe that the wide availability of PoC code makes it inevitable that this will happen. Cybersecurity sees CVE-2020-1472 as a clear and present danger to all Windows Domain Controllers. We urge system administrators to patch immediately, if they have not already done so.

About the Threat:

Multiple exploits for CVE-2020-1472, an elevation of privilege vulnerability in Microsoft’s Netlogon, are now available in the wild. Researchers at Secura discovered the flaw and have named it Zerologon.

Actions to Consider:

Microsoft released a patch for this vulnerability in their August updates. All Active Directory domain controllers (including read-only domain controllers) should be updated immediately if they did not have August updates applied already.

Event Impact:

Zerologon allows an attacker on the local network to use a forged authentication token for specific Netlogon functionality to set the computer password on a Domain Controller to a known value (such as all zeros, or no password). With the password reset, the attacker can use the new password to take control over the DC and steal a domain admin's password. Once attackers gain domain admin access, they can do anything a domain admin can do--from adding new users and computer to installing software via scripts.

References:

https://www.secura.com/blog/zero-logon
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472
https://arstechnica.com/information-technology/2020/09/new-windows-exploit-lets-you-instantly-become-admin-have-you-patched/
https://www.helpnetsecurity.com/2020/09/15/cve-2020-1472/


-- IT Security Vulnerability Management: Hui-Chun Kuo