Microsoft launches Phase 2 fix for Netlogon Elevation of Privilege Vulnerability (CVE-2020-1472)

By / / Security Updates & Patches, Vulnerabilities & Exploits / CVE-2020-1472, Domain Controller, Microsoft, MS-NRPC, Windows
Microsoft launches Phase 2 fix for Netlogon Elevation of Privilege Vulnerability (CVE-2020-1472)

Microsoft has announced the launch of Phase 2 permanent fix for a Netlogon elevation of privilege vulnerability (CVE-2020-1472) that was patched last August.

The Netlogon vulnerability was patched as part of the August Security Update, but Microsoft said at that time they would be rolling out a new feature to permanently fix the issue on Windows Domain Controllers in a two-phased rollout.

In that update, Microsoft warned that an attacker could establish a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the elevation of privilege vulnerability (CVE-2020-1472) could run a specially crafted application on a device on the network.

Starting with the February 9, 2021 Security Update release, Windows Domain Controllers will be placed in enforcement mode and will block vulnerable connections from non-compliant devices.

In other words, Windows and non-Windows devices will now use secure Remote Procedure Call (RPC) with Netlogon secure channel. Devices can also explicitly allow the account by adding an exception for any non-compliant device.

Mitigation steps

As part of Microsoft’s Netlogon guidelines, administrators should follow these steps in order to secure their environment:

  1. Install the security updates released August 11, 2020 or later to address security vulnerability CVE-2020-1472 for Active Directory Domain Controllers and Windows devices.
  2. Discover all devices making vulnerable connections by monitoring event logs.
  3. Mitigate non-compliant devices making those vulnerable connections.
  4. Enable enforcement mode to address CVE-2020-1472 in your environment.

“Starting February 2021, enforcement mode will be enabled on all Windows Domain Controllers and will block vulnerable connections from non-compliant devices. At that time, you will not be able to disable enforcement mode,” Microsoft warned in the blog post.

Related Articles