The Cybersecurity and Infrastructure Security Agency (CISA) issued a new security advisory warning of publicly available exploit code for a Microsoft Netlogon vulnerability CVE-2020-1472.
Researchers have dubbed the vulnerability ‘Zerologon’ that could allow attackers to hijack Windows domain controllers.
Although Microsoft issued a patch for the vulnerability as part of the August security updates, new research suggests exploit code is now publicly available.
“An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network,” Microsoft stated in the advisory in August.
The tech giant further explained that an unauthenticated attacker could exploit the vulnerability by abusing MS-NRPC to connect to a domain controller and then obtain domain administrator access. Microsoft also provided more details on the Netlogon vulnerability a blog post.
In a more recent “zerologon” blog post, security expert Tom Tervoort of Secura discovered the severe vulnerability in the Netlogon protocol:
“The vulnerability stems from a flaw in a cryptographic authentication scheme used by the Netlogon Remote Protocol, which among other things can be used to update computer passwords. This flaw allows attackers to impersonate any computer, including the domain controller itself, and execute remote procedure calls on their behalf.”
Secura
To add, Secura published a test tool on Github and also a whitepaper with more details on the vulnerability and exploit.
Other proofs of concept (PoCs) have been published to GitHub and will likely be used by actors soon to exploit new targets.