^{CVE-2020-1472:}Zerologon (CVE-2020-1472) is a critical elevation of privilege vulnerability in Microsoft's Netlogon Remote Protocol that allows attackers to establish vulnerable secure channel connections to domain controllers, potentially gaining domain administrator access without authentication.

The Zerologon vulnerability (CVE-2020-1472) is a critical security flaw in Microsoft's Netlogon Remote Protocol (MS-NRPC) that enables an unauthenticated attacker to establish a vulnerable Netlogon secure channel connection to a domain controller. By exploiting this vulnerability, attackers can run specially crafted applications on network devices and potentially compromise the entire domain by obtaining domain administrator privileges. The vulnerability stems from a cryptographic flaw in the authentication mechanism of the Netlogon protocol, specifically in how it handles secure channel connections. Due to its severity (CVSS 10.0) and ease of exploitation, Zerologon became one of the most significant Windows security vulnerabilities of 2020, with proof-of-concept exploits widely available.

Overview

The Zerologon vulnerability affects the Netlogon Remote Protocol, which is used for user and machine authentication on domain-based networks. The vulnerability exists because of an improper implementation of cryptographic authentication between clients and domain controllers, specifically in how the AES-CFB8 encryption is initialized with a static, predictable initialization vector of all zeros instead of using a random one. This allows attackers to:

1. Impersonate any computer on the network to a domain controller
2. Disable security features in the Netlogon authentication process
3. Change a computer's password on the domain controller
4. Completely take over a Windows domain by setting a blank password for the domain controller account

The attack requires network access but no authentication, making it particularly dangerous in corporate environments. Once exploited, attackers can gain complete control over the Active Directory domain and all computers joined to it.

Remediation

Microsoft addressed this vulnerability through a phased two-part rollout:

Phase 1 (August 2020 security update):

• Apply the initial security update from Microsoft
• This update enables Domain Controllers to protect devices by default while allowing non-compliant devices to continue using vulnerable Netlogon secure channel connections
• Monitor event logs for non-compliant device connections (Event IDs 5827 and 5828)

Phase 2 (February 2021 security update):

• Apply the follow-up security update
• This enforces secure RPC usage for all Windows and non-Windows devices
• Non-compliant devices will be denied access unless explicitly allowed by admins

Additional remediation steps:

1. Ensure all domain controllers are patched immediately
2. Monitor domain controllers for signs of exploitation
3. Identify and update all applications and devices using Netlogon connections
4. Implement the enforcement mode after testing compatibility with existing systems
5. For Samba implementations, update to versions with the security patches
6. Consider implementing network segmentation to limit access to domain controllers

References

1. Microsoft Security Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472
2. CERT Vulnerability Note: https://www.kb.cert.org/vuls/id/490028
3. Microsoft guidance on managing changes: How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472
4. Proof of Concept information: http://packetstormsecurity.com/files/159190/Zerologon-Proof-Of-Concept.html
5. Zerologon exploitation details: http://packetstormsecurity.com/files/160127/Zerologon-Netlogon-Privilege-Escalation.html
6. Samba security information: http://www.openwall.com/lists/oss-security/2020/09/17/2
7. Ubuntu Security Notice: https://usn.ubuntu.com/4510-1/
8. Oracle Critical Patch Update: https://www.oracle.com/security-alerts/cpuApr2021.html
9. Synology Security Advisory: https://www.synology.com/security/advisory/Synology_SA_20_21