CVE-2020-1472:

Zerologon (CVE-2020-1472) is a critical elevation of privilege vulnerability in Microsoft's Netlogon Remote Protocol that allows attackers to establish vulnerable secure channel connections to domain controllers, potentially gaining domain administrator access without authentication.

Score
A numerical rating that indicates how dangerous this vulnerability is.

10.0Critical

Published Date:Aug 17, 2020
CISA KEV Date:Nov 3, 2021
Industries Affected:20

Armis Early Warning:

443 Days

Threat Predictions

EPSS Score:94.4
EPSS Percentile:100%

Exploitability

Score:3.9
Attack Vector:NETWORK
Attack Complexity:LOW
Privileges Required:NONE
User Interaction:NONE
Scope:CHANGED

Impact

Score:6.0
Confidentiality Impact:HIGH
Integrity Impact:HIGH
Availability Impact:HIGH

Description Preview

Overview

The Zerologon vulnerability affects the Netlogon Remote Protocol, which is used for user and machine authentication on domain-based networks. The vulnerability exists because of an improper implementation of cryptographic authentication between clients and domain controllers, specifically in how the AES-CFB8 encryption is initialized with a static, predictable initialization vector of all zeros instead of using a random one. This allows attackers to: 1. Impersonate any computer on the network to a domain controller 2. Disable security features in the Netlogon authentication process 3. Change a computer's password on the domain controller 4. Completely take over a Windows domain by setting a blank password for the domain controller account The attack requires network access but no authentication, making it particularly dangerous in corporate environments. Once exploited, attackers can gain complete control over the Active Directory domain and all computers joined to it.

Remediation

Microsoft addressed this vulnerability through a phased two-part rollout:
Phase 1 (August 2020 security update):
Apply the initial security update from Microsoft
This update enables Domain Controllers to protect devices by default while allowing non-compliant devices to continue using vulnerable Netlogon secure channel connections
Monitor event logs for non-compliant device connections (Event IDs 5827 and 5828)
Phase 2 (February 2021 security update):
Apply the follow-up security update
This enforces secure RPC usage for all Windows and non-Windows devices
Non-compliant devices will be denied access unless explicitly allowed by admins
Additional remediation steps:
1. Ensure all domain controllers are patched immediately
2. Monitor domain controllers for signs of exploitation
3. Identify and update all applications and devices using Netlogon connections
4. Implement the enforcement mode after testing compatibility with existing systems
5. For Samba implementations, update to versions with the security patches
6. Consider implementing network segmentation to limit access to domain controllers