ZEROLOGON CVE 2020- 1472

9/20/2020

The vulnerability, dubbed as “Zerologon,” is a critical severity, privilege-escalation vulnerability (CVE-2020-1472) assigned a CVSS score of 10 out of 10. The flaw was addressed in Microsoft’s August 2020 security updates.

OVERVIEW

As part of the August 2020 Patch Tuesday security updates, Microsoft fixed a critical 10/10 rated security vulnerability known as 'CVE-2020-1472 Netlogon Elevation of Privilege Vulnerability' also known as Zerologon.
In order to mitigate this flaw, it is highly recommended to install Microsoft’s August 2020 security patches on all Active Directory domain controllers.
Unpatched DC (Domain Controllers) will allow attackers to compromise it and give themselves domain admin privileges.
The only thing an attacker needs is the ability to set up TCP connections with a vulnerable DC; i.e. they need to have a foothold on the network, but don’t require any domain credentials to compromise the DC.
The patch that addresses Zerologon also implements some additional defense-in-depth measures that forces domain-joined machines to use previously optional security features of the Netlogon protocol.
As confirmed by Microsoft, an update in February 2021 will further tighten these restrictions, which may break some third-party devices or software.
Installing the August 2020 patch on all domain controllers (also back-up and read-only ones) is sufficient to block the high-impact of exploits detailed herein.

OVERVIEW

As part of the August 2020 Patch Tuesday security updates, Microsoft fixed a critical 10/10 rated security vulnerability known as 'CVE-2020-1472 Netlogon Elevation of Privilege Vulnerability' also known as Zerologon.

In order to mitigate this flaw, it is highly recommended to install Microsoft’s August 2020 security patches on all Active Directory domain controllers.

Unpatched DC (Domain Controllers) will allow attackers to compromise it and give themselves domain admin privileges.

The only thing an attacker needs is the ability to set up TCP connections with a vulnerable DC; i.e. they need to have a foothold on the network, but don’t require any domain credentials to compromise the DC.

The patch that addresses Zerologon also implements some additional defense-in-depth measures that forces domain-joined machines to use previously optional security features of the Netlogon protocol.

As confirmed by Microsoft, an update in February 2021 will further tighten these restrictions, which may break some third-party devices or software.

Installing the August 2020 patch on all domain controllers (also back-up and read-only ones) is sufficient to block the high-impact of exploits detailed herein.