External risk intelligence

Microsoft Domain Controller Privilege Escalation Vulnerability.

CVE advisoryKnown Exploit

CVE-2020-1472

A vulnerability in the Netlogon Remote Protocol can allow an unauthenticated attacker to gain domain administrator access. This could enable an attacker to run malicious applications on network devices, posing a risk to organizational control and data. Microsoft has released updates to address this issue.

2Halo Surface Signal

Microsoft Windows Server 1903

r231323315.115.214.0416.0418.0420.04before 4.4.5-0101before 4.10.184.11.0 to before 4.11.134.12.0 to before 4.12.79.08.8

External exposure likelihood

Halo Surface Signal score for CVE-2020-1472

This vulnerability affects the Netlogon Remote Protocol (MS-NRPC) used by domain controllers. Domain controllers are core infrastructure components that are, by design and best practice, isolated from the public internet and restricted to internal, private networks. While technically reachable if a network is misconfigured, public internet exposure of this service is uncommon.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Horizon Alert

Summary of the vulnerability and why it matters

An elevation of privilege vulnerability exists within the Netlogon Remote Protocol on domain controllers. This flaw allows an unauthenticated attacker to establish a secure channel connection to a domain controller. Successful exploitation enables the attacker to run custom applications on a network device, potentially leading to unauthorized administrative access.

  • Vulnerable Netlogon secure channel
  • Flaw allows unauthorized access
  • Impact includes administrative control

Attack Path

How an attacker could exploit the issue

This vulnerability allows an unauthenticated attacker to gain domain administrator privileges by exploiting the Netlogon Remote Protocol. The attacker can then run a specially crafted application on a network device. This can lead to unauthorized control over network resources and sensitive data.

  • Exposure: Internal network access required.
  • Attacker access: Establish vulnerable Netlogon connection.
  • Trigger: Run crafted application.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability allows an attacker to gain domain administrator access by exploiting a flaw in how domain controllers establish secure connections. An attacker could then run malicious applications on a network device. The initial exploit requires an unauthenticated attacker to connect to a domain controller. While initially assessed as medium severity, its inclusion in the CISA Known Exploited Vulnerabilities catalog indicates a significant real-world threat.

  • Attacker skill level: Low to moderate.
  • Required access or conditions: Internal network access.
  • Business risk or urgency: High; CISA catalog.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability allows an attacker to gain domain administrator access by establishing a vulnerable connection to a domain controller. Exploitation can result in an attacker running a specially crafted application on a network device. Microsoft has released updates to address this by modifying how Netlogon handles secure channel connections.

  • Identify all domain controllers and related systems.
  • Restrict Netlogon secure channel connections.
  • Apply vendor updates and validate their implementation.

Frequently asked questions

What is the Netlogon Remote Protocol (MS-NRPC)?

MS-NRPC is a Windows server protocol essential for managing domain authentication and secure channel connections between network members and domain controllers. It plays a critical role in maintaining domain integrity and overseeing user and computer accounts.

How does CVE-2020-1472 lead to privilege escalation?

CVE-2020-1472, also known as Zerologon, exploits a weakness in how domain controllers handle Netlogon secure channel connections. This allows an unauthenticated attacker to establish a connection and gain domain administrator privileges.

What is the attack vector for CVE-2020-1472?

An unauthenticated attacker can exploit this vulnerability by using MS-NRPC to connect to a domain controller. This connection allows them to obtain domain administrator access.

What is the relevance of CVE-2020-1472 to network security?

This vulnerability has been listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, indicating it has been actively exploited.

What steps should be taken to mitigate CVE-2020-1472?

Microsoft has released phased updates to address this vulnerability by changing how Netlogon handles secure channel connections. It is recommended to apply these updates as advised by Microsoft.

References

Cyber Threat Intelligence (CTI)

Sources: ransomware, threatActor

Sources and related resources

Primary sources: NVD, CVE.org, CISA KEV.

NVDPublished Modified