Description
A critical vulnerability has been identified in the Netlogon Remote Protocol (MS-NRPC) used by domain controllers. This vulnerability, tracked as CVE-2020-1472, allows an unauthenticated attacker to connect to a domain controller and gain domain administrator access, potentially compromising the entire domain.
Affected Product(s)
- Canonical Ubuntu Linux (14.04 and 16.04)
- Debian samba package versions before 2:4.13.2+dfsg-2
- Microsoft Windows Server operating systems (versions 2008 R2, 2012, 2012 R2, 2016, 2019, 2019, 1903, 1909, 2004)
Technical Details
The CVE-2020-1472 vulnerability, commonly referred to as ZeroLogon, affects the Netlogon Remote Protocol (MS-NRPC) used by domain controllers (DCs) in Microsoft Windows systems. The vulnerability is due to an improper implementation of cryptographic standards in the Netlogon protocol.
Specifically, the issue lies in the use of a static and predictable initialization vector (IV) for AES (Advanced Encryption Standard) in cipher feedback mode. This flaw breaks the security guarantees provided by AES, allowing an attacker to forge Netlogon authentication tokens.
Exploiting ZeroLogon involves initiating a Netlogon session with a domain controller and sending specially crafted authentication requests where certain fields are set to null. Due to the predictability of the IV, a successful attempt can be made once in roughly 256 tries. The successful attempt allows the attacker to impersonate any computer account, including that of the domain controller itself, and reset its password. With the domain controller’s password reset, the attacker can potentially take control of the entire domain.
The discovery of ZeroLogon was significant because it impacted almost all actively supported versions of Microsoft Windows Server operating systems. Upon disclosure, attacks leveraging this vulnerability were observed, indicating its adoption by various threat actors.
Threat actors have exploited CVE-2020-1472 in various campaigns. Notably, ransomware groups like Black Basta and Cuba have utilized this vulnerability to establish a foothold in target networks. They typically leverage the flaw to elevate their privileges once initial access is gained through other means such as phishing, exploiting known vulnerabilities, or using malware like Qakbot and Cobalt Strike. The vulnerability also affects systems running Samba, an open-source implementation of the SMB/CIFS protocol that allows interoperability between networked devices. If improperly configured, Samba can have the same vulnerabilities as Netlogon on Windows, leading to potential domain compromise.
To mitigate ZeroLogon, Microsoft released patches, starting with the August 2020 update and followed by additional updates in February 2021. These patches enforce secure RPC and introduce new settings and policies to safeguard against exploitation. It is crucial that organizations apply these patches and monitor their systems for signs of compromise.
Weakness
The primary weakness associated with this vulnerability is improper authentication (CWE-287) and the use of insufficiently random values (CWE-330) in cryptographic operations. The vulnerability stems from the use of a fixed and predictable initialization vector (IV) for AES encryption, which undermines the cryptographic strength of the protocol.
Impact Assessment
If exploited, this vulnerability could allow an attacker to gain unauthorized access to sensitive data or execute arbitrary code on the affected system. Specifically, an unauthenticated attacker can impersonate any machine on the network, including domain controllers, leading to a complete domain takeover. The attacker can reset the domain controller’s password, allowing them to further compromise the network and escalate privileges to domain administrator.
Active Exploitation
Active exploitation of this vulnerability has been observed in the wild. For instance, threat actors and ransomware groups like Black Basta and Cuba have used ZeroLogon to facilitate initial access or privilege escalation within compromised networks. These adversaries are known for leveraging such vulnerabilities to conduct ransomware attacks and data exfiltration.
Ransomware Association
The vulnerability has been linked to ransomware attacks, specifically by groups like Black Basta, which exploits this vulnerability to gain initial access to the system. Once inside, these groups deploy ransomware to encrypt data and extort victims by demanding payment for decryption keys. They may also steal sensitive information and threaten to publish it if the ransom is not paid.
Mitigation and Resolution
Microsoft has released patches to address this vulnerability. Users are advised to apply the updates provided in the August 2020 and February 2021 security releases. These updates include enforcement of secure RPC for Netlogon secure channel connections and additional configurations to prevent exploitation. It is crucial to ensure that all domain controllers and systems running vulnerable versions are updated to the latest patches.
Recommendations
- We strongly recommend that all customers apply the latest patch as soon as possible.
- Ensure that domain controllers are updated with the August 2020 and February 2021 security releases from Microsoft.
- Monitor DC event logs for event IDs 5827, 5828, and 5829 to identify non-compliant devices using vulnerable Netlogon secure channel connections.
- Configure domain controllers to require secure RPC with Netlogon secure channel updates.
- Implement network segmentation and monitoring to limit the spread of potential infections.
- Educate users on detecting and reporting phishing attempts to reduce the risk of initial compromise.
- Regularly review and update cybersecurity policies and incident response plans to ensure readiness against potential attacks.
ย Referencesย
- Amazon Linux Security Center
- Amazon Linux 2 Security Advisories
- CERT Advisory
- Debian Security Tracker
- Juniper Security Bulletin
- Juniper Informational Security Bulletin
- Microsoft Update Guide for CVE-2020-1472
- CVE MITRE Details
- QNap Security Advisory
- RedHat Security Updates
- Samba Security Updates
- Samba Security Advisory
- National Vulnerability Database
- Ubuntu Security Updates 1
- Ubuntu Security Updates 2
- Ubuntu Security Updates 3
- Microsoft Security Advisory for CVE-2020-1472
- Synology Security Advisory