Microsoft has announced the launch of Phase 2 permanent fix for a Netlogon elevation of privilege vulnerability (CVE-2020-1472) that was patched last August.
The Netlogon vulnerability was patched as part of the August Security Update, but Microsoft said at that time they would be rolling out a new feature to permanently fix the issue on Windows Domain Controllers in a two-phased rollout.
In that update, Microsoft warned that an attacker could establish a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the elevation of privilege vulnerability (CVE-2020-1472) could run a specially crafted application on a device on the network.
Starting with the February 9, 2021 Security Update release, Windows Domain Controllers will be placed in enforcement mode and will block vulnerable connections from non-compliant devices.
In other words, Windows and non-Windows devices will now use secure Remote Procedure Call (RPC) with Netlogon secure channel. Devices can also explicitly allow the account by adding an exception for any non-compliant device.
As part of Microsoft’s Netlogon guidelines, administrators should follow these steps in order to secure their environment:
- Install the security updates released August 11, 2020 or later to address security vulnerability CVE-2020-1472 for Active Directory Domain Controllers and Windows devices.
- Discover all devices making vulnerable connections by monitoring event logs.
- Mitigate non-compliant devices making those vulnerable connections.
- Enable enforcement mode to address CVE-2020-1472 in your environment.
“Starting February 2021, enforcement mode will be enabled on all Windows Domain Controllers and will block vulnerable connections from non-compliant devices. At that time, you will not be able to disable enforcement mode,” Microsoft warned in the blog post.
- Microsoft February 2021 Security Updates, warns of Win32k Privilege Escalation vulnerability exploited in wild
- Microsoft warns of ongoing exploits against Zerologon vulnerability (CVE-2020-1472)
- Microsoft January 2021 Security Updates (to include zero-day RCE patch)
- Microsoft August 2020 Security and Adobe Updates