NETLOGON REMOTE PROTOCOL Vulnerability CVE-2020-1472

BACKGROUND

Microsoft Windows Netlogon vulnerablity affects Active Directory Domain Controllers in enterprise networks. A vulnerability dubbed as “Zerologon” with the official designation CVE-2020-1472 and a CVSS (Common Vulnerability Scoring System) of 10.0 (high impact) that allows attackers to impersonate a domain-joined computer including a domain controller and obtain domain administrator privilege. The attack can be executed in approximately 3 seconds only. A variety of attacks may follow such as (and not limited to) disabling security features, password amendment, and taking control of the whole domain or network.Unpatched systems are vulnerable to this attack and the attacker could exploit this vulnerability to obtain domain administrator access.

 

IMPACT

  • Allows an attacker to completely compromise Windows domain
  • Attacker may obtain domain administrator access
  • Attacker is able to set the password of the Domain Controller to a known value
  • Attacker can use the set password to take control over the domain controller and might create a domain administrator account.
  • Attacker will be able to access all connected devices and services
  • Attacker might use this vulnerability to install ransomware to the organization

 

AFFECTED SYSTEMS

  • All Supported Windows Server Version 2008 R2 and above, especially function as Active Domain Controller in an Enterprise Network

 

RECOMMENDATIONS

  • All Active Directory domain controllers and readonly domain controllers must be updated to enforce secure RPC with Netlogon secure channel
  • Always patch your operating system to the latest version
  • Install antivirus software and update it frequently
  • Do not click any suspicious links from unknown senders especially via email as this attack might come from email
  • Always backup files, preferably offline
  • Use strong passwords and change them every 3 months to ensure network access (both physical and remote) are properly configured