ThreatLevelBeta
Fix Soon

CVE-2020-1472

Microsoft Netlogon Privilege Escalation Vulnerability
Loading...

Summary

Microsoft's Netlogon Remote Protocol (MS-NRPC) in Windows Server domain controllers contains a privilege escalation flaw in the secure-channel authentication handshake. An unauthenticated attacker with network access can repeatedly send crafted Netlogon requests, eventually impersonate the domain controller, and reset its machine account password. Successful exploitation can expose domain credentials, grant domain administrator privileges, and enable takeover of the Active Directory domain.

Why Fix Soon?

5/6
No authentication required
Internal deployment
No user interaction needed
Exploitable in default configuration
Active exploitation in the wild
High impact vulnerability

Exploitation Details

Type
LPE (Local Privilege Escalation)
Is exploitable with default configuration?
Yes
Is authentication needed?
No
PoC / Exploit
Yes
github.com
Impact

Reset the domain controller machine account password and take over the Active Directory domain.

Full System Compromise
Exploitation Requirements

None — vulnerable in default configuration

Exploitation Process

An attacker first connects to a domain controller over MS-NRPC and sends repeated NetrServerAuthenticate3 requests with all-zero client credentials until one attempt is accepted. After the secure channel is established, the attacker uses NetrServerPasswordSet2 to change the domain controller machine account password to a blank value. The attacker can then use the compromised domain controller identity to dump AD secrets or perform DCSync and obtain domain-level control.

Detection Resources
Manual Detection
support.microsoft.commicrosoft.commicrosoft.com
3
Script Detection
github.com
1
Scanner Detection
Tenable NessusQualys
2

Affected Software

Vendor:Microsoft
ProductAffected Versions
Windows Server2008 R2 SP1, 2012, 2012 R2, 2016, 2019, version 1809, version 1903, version 1909
Description

Microsoft's server operating system used for enterprise infrastructure such as domain controllers, identity services, file and print services, and application hosting.

Deployment:Typically internal
|
Protocol:MS-NRPC
|
Ports:135, 445
Affected ComponentNetlogon secure channel authentication in the Netlogon Remote Protocol (MS-NRPC) on Active Directory domain controllers.

Netlogon secure channel authentication in the Netlogon Remote Protocol (MS-NRPC) on Active Directory domain controllers.

Enterprise UsageEstimated likelihood that this vendor/product is deployed in enterprise environments. AI-generated estimation based on market presence, product type and adoption signals — not exact data.
Very Low
Low
Medium
High
Very High
Vendor Size:Big
Remediation
Workaround
Set FullSecureChannelProtection=1 to enable enforcement mode early and deny vulnerable Netlogon secure channel connections except for temporary allow-list exceptions.

Set FullSecureChannelProtection=1 to enable enforcement mode early and deny vulnerable Netlogon secure channel connections except for temporary allow-list exceptions.

support.microsoft.com
Patch

Not available

Update
Install the August 11, 2020 or later Windows security updates on all domain controllers, then apply the February 9, 2021 or later updates that enable Netlogon enforcement mode by default.

Install the August 11, 2020 or later Windows security updates on all domain controllers, then apply the February 9, 2021 or later updates that enable Netlogon enforcement mode by default.

support.microsoft.com
Threat Intelligence
EPSS Score94.4%

Probability of exploitation in the next 30 days

EPSS Percentile100%

Worse than 100% of all CVEs

Last updated: Loading...
CISAKEV
CISA KEV
Listed
Loading...
Active Exploitation
Active
cisa.gov
Threat Actors1
Cadet Blizzard

Russian GRU-linked actor targeting government and IT organizations in Ukraine, Europe, and Central Asia

Detection Rules4
KQL
AlertInfo | where Title == 'Suspected Netlogon privilege elevation attempt (CVE-2020-1472 exploitation)'
Other
NETLOGON System events 5829, 5830, 5831
SPL
EventCode=4742 with Anonymous Logon on a domain controller computer account
SPL
Sysmon EventID 10 LSASS access after Zerologon activity

NVD Data

Published: Loading...Modified: Loading...

Description Summary

An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network. To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access. Microsoft is addressing the vulnerability in a phased two-part rollout. These updates address the vulnerability by modifying how Netlogon handles the usage of Netlogon secure channels. For guidelines on how to manage the changes required for this vulnerability and more information on the phased rollout, see How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472 (updated September 28, 2020). When the second phase of Windows updates become available in Q1 2021, customers will be notified via a revision to this security vulnerability. If you wish to be notified when these updates are released, we recommend that you register for the security notifications mailer to be alerted of content changes to this advisory. See Microsoft Technical Security Notifications.

CVSS Base Score

5.5
Medium

CVSS Vector (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

Attack Vector (AV)
Physical
Local
Adjacent
Network
Attack Complexity (AC)
High
Low
Privileges Required (PR)
High
Low
None
User Interaction (UI)
Required
None
Scope (S)
Unchanged
Changed
Confidentiality (C)
None
Low
High
Integrity (I)
None
Low
High
Availability (A)
None
Low
High
CWE:
|
NVD:CVE-2020-1472
|
Version From:
|
Version Upto:4.4.5-0101, 4.10.18

Affected Software (CPE) (23)

  • cpe:2.3:o:microsoft:windows_server_1903:*:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_server_1909:*:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_server_2004:-:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*
  • cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_server_20h2:-:*:*:*:*:*:*:*
  • cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
  • cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
  • cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
  • cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
  • cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*
  • cpe:2.3:a:synology:directory_server:*:*:*:*:*:*:*:*
  • cpe:2.3:a:samba:samba:*:*:*:*:*:*:*:*
  • cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:zfs_storage_appliance_kit:8.8:*:*:*:*:*:*:*

Sources

11
SourceArticle
support.microsoft.comNetlogon secure channel changes for CVE-2020-1472
www.microsoft.comAttacks exploiting Netlogon vulnerability (CVE-2020-1472)
www.microsoft.comZerologon is now detected by Microsoft Defender for Identity
www.microsoft.comBehavior:Win32/CVE-2020-1472.B
www.cisa.govMicrosoft Warns of Continued Exploitation of CVE-2020-1472
nvd.nist.govCVE-2020-1472 Detail
www.tenable.comCVE-2020-1472
research.splunk.comDetect Zerologon Attack
github.comSecura CVE-2020-1472
github.comdirkjanm/CVE-2020-1472
www.microsoft.comCadet Blizzard threat actor report

Priority History

Fix SoonLoading...

Initial analysis