Critical Windows Authentication Vulnerability in Netlogon
Update 24 September: Microsoft has reported this vulnerability is now being exploited by attackers. Any organisations that haven't yet applied August 2020 security updates for Microsoft Windows Server should apply these updates as soon as possible.
A misconfiguration in the cryptographic protocol used in Windows’ Netlogon Remote Protocol (CVE-2020-1472) allows an unprivileged network user to set any machine account password to a blank zero-length password, including the Domain Controller machine account itself. Leveraging this would allow full compromise of the Domain Controller.
At least one proof of concept has been released publicly, and so potential for active exploitation exists. Applying the August 2020 updates from Microsoft should be carried out as a high priority, if they have not already been applied to your systems. Windows Domain Controllers should be the highest priority systems to apply updates to.
Any version of Windows Server that has the Domain Controller role installed, that has not had the August 2020 update applied. Vulnerable Windows Server versions include:
- Windows Server 2008 R2
- Windows Server 2012
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server 2019
- Windows Server version 1903
- Windows Server version 1909
- Windows Server version 2004
It is likely that older, unsupported, versions of Windows Server are also affected, but will not receive an update to fix the vulnerability. Such systems should be upgraded to a supported operating system.
What this means
Any system that has a vulnerable Domain Controller could be compromised by an attacker, which could lead to complete takeover of the domain.
What to look for
How to tell if you're at risk
Your systems are vulnerable to this exploit if there are any Windows servers with the Domain Controller role in your environment, which have not had the August 2020 updates applied. All Domain Controllers in the environment must be updated to protect against this vulnerability.
What to do
Install the August 2020 updates on all Windows servers, with a focus on any servers that have the Domain Controller role installed. This patch also includes new Event IDs to monitor for machines on the network that are attempting to use insecure Remote Procedure Call (RPC) channels. There is an additional update, expected in February 2021, which will enforce the use of secure RPC channels unless a machine is given an explicit exception.
Ensure that your Domain Controllers are not internet-accessible. Any such systems that can be accessed over the internet are at higher risk of compromise.
 How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472 - https://support.microsoft.com/en-nz/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc External Link
 CVE-2020-1472 | Netlogon Elevation of Privilege Vulnerability - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472 External Link External Link
 Script to help in monitoring event IDs related to changes in Netlogon secure channel connections associated with CVE-2020-1472 - https://support.microsoft.com/en-nz/help/4557233/script-to-help-in-monitoring-event-ids-related-to-changes-in-netlogon External Link
If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.
For media enquiries, email our media desk at firstname.lastname@example.org or call the MBIE media team on 027 442 2141.