Netlogon Elevation of Privilege Vulnerability

ALERT: Netlogon Elevation of Privilege Vulnerability

A privilege escalation vulnerability has been found in the Netlogon Remote Protocol (MS-NRPC) that may allow an attacker to gain domain admin credentials and restore the original domain controller password.  This attack is completely unauthenticated, as the attacker does not need any user credentials.  Proof of concept exploits and tools have been released, with some of them verified to work.

This flaw affects Windows 2008 R2 to Windows Server 2019, as well as Windows Server, versions 1903, 1909 and 2004 (server core installation).

Microsoft has released a patch for this vulnerability as a part of the August patch cycle.  Applying this patch enables DCs to protect devices.  However, a second patch will be required to fully address this vulnerability and is scheduled for release on February 9, 2021.  The second patch will ensure secure Remote Procedure Call (RPC) with Netlogon.  To fully mitigate this vulnerability now, a registry setting can be changed that will enforce secure RPC with Netlogon until the second patch is released in February 2021. 

For more information, and to download individual patches for your operating system, see the following advisory from Microsoft.

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472

For information on how to configure the registry for enforcement mode, see the section labeled "Registry value for enforcement mode" in the following Microsoft article.

https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc

Additional information on this vulnerability can be found in the following article from Help Net Security.

https://www.helpnetsecurity.com/2020/09/15/cve-2020-1472/


Published on  and maintained in Cascade.