What is CVE-2020-1472?
CVE-2020-1472, commonly known as “Zerologon,” is a critical vulnerability in Microsoft’s Netlogon Remote Protocol (MS-NRPC). This vulnerability allows an unauthenticated attacker to impersonate any computer, including the domain controller itself, and gain administrative access to a Windows domain. It affects Windows Server versions from 2008 R2 to 2019, making it a severe threat to enterprise networks that rely on Windows domain controllers for authentication and security.
CVSS Score and Severity
- CVSS Score: 10.0 (Critical)
- Severity: The CVSS score of 10.0 out of 10 indicates the highest level of severity, reflecting the critical impact of this vulnerability. It is classified as “Critical” due to the potential for complete domain compromise with minimal effort and no authentication required.
So what’s the problem?
CVE-2020-1472 poses a significant problem because it allows attackers to gain domain administrator privileges on a Windows domain controller without any prior authentication. This vulnerability can be exploited remotely, allowing attackers to take over the entire Windows domain, which can lead to the complete compromise of all systems within the domain. Given its ease of exploitation and the severity of its impact, this vulnerability is extremely dangerous for organizations with unpatched domain controllers.
Background and Context
Background on the vulnerability
CVE-2020-1472 was discovered by Secura BV and publicly disclosed in August 2020. The vulnerability lies in Microsoft’s implementation of the Netlogon Remote Protocol, which is used for authentication between Windows servers and domain controllers. The flaw allows attackers to bypass authentication and establish a secure channel to the domain controller, effectively giving them full control over the domain. This vulnerability was dubbed “Zerologon” due to the fact that it leverages a flaw in the cryptographic implementation where a zero value can be used to defeat security measures.
Description of the Vulnerability (CVE-2020-1472)
The vulnerability occurs because Microsoft’s Netlogon Remote Protocol fails to properly secure the process of establishing a secure channel to the domain controller. By sending a series of specially crafted Netlogon messages, an attacker can exploit the vulnerability to set a machine’s password to a known value (all zeros), thereby gaining access to the domain controller. This allows the attacker to impersonate any machine on the network, including the domain controller itself, and escalate their privileges to domain administrator.
Root Cause Analysis
The root cause of CVE-2020-1472 is a cryptographic flaw in the Netlogon Remote Protocol’s authentication mechanism. Specifically, the vulnerability arises from the way Netlogon handles the initialization vector (IV) in AES-CFB8 encryption, where an attacker can force the IV to be zero, leading to successful authentication with a zero-value challenge. This flaw allows the attacker to bypass normal security checks and gain unauthorized access to the domain controller.
Impact and Exploitation
The impact of CVE-2020-1472
Exploiting CVE-2020-1472 can have devastating impacts, including:
- Complete Domain Takeover: The most severe impact is that an attacker can take full control of a Windows domain, gaining administrative privileges over all domain-joined computers.
- Data Breaches: Once the domain is compromised, attackers can access sensitive data, manipulate user accounts, and exfiltrate confidential information.
- Propagation of Attacks: With domain admin access, attackers can deploy malware, ransomware, or other malicious tools across the entire network, significantly amplifying the damage.
- Operational Disruption: The compromise of a domain controller can lead to significant operational disruptions, as critical IT services and infrastructure are dependent on the domain’s integrity.
Exploit
To exploit CVE-2020-1472, an attacker needs to be able to send Netlogon messages to a vulnerable domain controller. The exploitation process involves:
- Identifying a target domain controller running an affected version of Windows Server.
- Sending specially crafted Netlogon messages to the domain controller to reset its password to a known value (all zeros).
- Using the newly set password to gain administrative access to the domain controller and, by extension, the entire domain.
In-the-Wild Attacks
CVE-2020-1472 has been actively exploited in the wild since its disclosure. Threat actors have used this vulnerability to launch attacks against various organizations, particularly those that have been slow to apply the necessary patches. The vulnerability has been leveraged in ransomware campaigns, data exfiltration attacks, and in establishing persistent footholds within compromised networks.
Vulnerable code/package in the application
The vulnerable code is found within Microsoft’s implementation of the Netlogon Remote Protocol in Windows Server versions 2008 R2 through 2019. The specific issue lies in the cryptographic handling of authentication messages, where the initialization vector (IV) in the encryption process can be manipulated to bypass security checks.
Statistics on vulnerability
CVE-2020-1472 has affected a large number of organizations worldwide, particularly those in sectors with large, complex IT infrastructures such as finance, healthcare, and government. According to various security reports, a significant percentage of domain controllers remained unpatched even months after the vulnerability was disclosed, leading to widespread exploitation.
Mitigation and Remediation
Mitigating CVE-2020-1472
To mitigate the risks associated with CVE-2020-1472, organizations should:
- Apply Patches: Microsoft has released patches that address this vulnerability. It is critical to update all domain controllers to the latest software versions as soon as possible.
- Enable Enforcement Mode: Microsoft introduced an “enforcement mode” to further protect against exploitation. This mode should be enabled following the patching process to ensure complete mitigation.
- Network Segmentation: Limiting network exposure of domain controllers and restricting access to Netlogon traffic can reduce the risk of exploitation.
Patch and Bypass: Fixes Added for CVE-2020-1472
Microsoft’s patches for CVE-2020-1472 modify the Netlogon authentication process to prevent the use of zero-value IVs in cryptographic operations. The patches are designed to ensure that Netlogon messages are properly authenticated, preventing unauthorized access to domain controllers. Organizations should also deploy Microsoft’s enforcement mode to prevent non-compliant devices from connecting to the domain controller.
Proactive response
A proactive security approach includes monitoring Netlogon traffic for unusual activity, conducting regular security assessments, and ensuring all systems are up to date with the latest security patches. Organizations should also review their domain controller security settings and apply additional hardening measures as needed.
Proof of Concept (POC)
A basic POC for CVE-2020-1472 involves using the Python script zerologon_tester.py, which exploits the flaw in the Netlogon protocol. The script tests whether a domain controller is vulnerable by attempting to set an empty password for a machine account.
python3 zerologon_tester.py <DC-IP> <Target-Hostname>If the target is vulnerable, the script will indicate that the exploit was successful, allowing further actions such as resetting the domain controller password.
Real-world Impact and Response
Timeline/changelog
- August 2020: Public disclosure of CVE-2020-1472 by Secura BV.
- August 2020: Microsoft releases patches to address the vulnerability.
- September 2020: Active exploitation of the vulnerability begins, with various attacks reported worldwide.
- November 2020: Microsoft introduces enforcement mode to further mitigate the vulnerability.
Observed Activity
Since its disclosure, CVE-2020-1472 has been one of the most actively exploited vulnerabilities. Attackers have used it to gain domain admin privileges in various networks, leading to significant data breaches and operational disruptions. The vulnerability has been particularly attractive to ransomware groups, who use it to spread their malware across entire networks.
Mass Scanning
Following the disclosure of CVE-2020-1472, mass scanning for vulnerable domain controllers increased dramatically. Attackers used automated tools to identify unpatched servers, which were then targeted for exploitation. This wave of scanning led to a surge in successful attacks against organizations that had not yet applied the necessary patches.
Vulnerable Server Discovery
Vulnerable domain controllers can be discovered through targeted scanning or by exploiting misconfigurations in network security that expose Netlogon traffic to external threats. Organizations should take steps to secure their domain controllers and monitor for any signs of exploitation attempts.
Reasoning and Scoring
Corporate networks impacted globally
CVE-2020-1472 has had a significant global impact, particularly in industries that rely heavily on Windows Server environments. The vulnerability has led to widespread domain compromises, data breaches, and operational disruptions, with thousands of organizations affected worldwide.
Corporate numbers impacted by countries
- United States: Thousands of organizations, particularly in finance, healthcare, and government sectors, have been affected.
- Europe: Many enterprises in technology and manufacturing have reported incidents related to this vulnerability.
- Asia: A significant number of companies, especially in the telecommunications sector, have been impacted by Zerologon exploits.
Conclusion
Who should be paying attention to this?
IT administrators, cybersecurity professionals, and organizations using Windows Server domain controllers should prioritize attention to CVE-2020-1472. Ensuring that these systems are secure is critical for maintaining the overall security posture of their networks.
Who is exploiting it and how?
CVE-2020-1472 has been exploited by various threat actors, including state-sponsored groups and cybercriminals. These attackers use automated tools to exploit the vulnerability, gaining domain admin access and leveraging it for further attacks such as ransomware deployment, data exfiltration, and persistent access.
How are things likely to develop?
As more organizations apply patches and enable enforcement mode, the window for exploiting CVE-2020-1472 is closing. However, networks that remain unpatched are at significant risk. Continued vigilance and adherence to security best practices are essential to prevent future exploitation.
How long has it been around?
CVE-2020-1472 was disclosed in August 2020, but the underlying cryptographic flaw in the Netlogon protocol may have existed for many years before its discovery. This highlights the importance of regular security reviews and updates to identify and mitigate potential vulnerabilities.
