www.belgium.be Logo of the federal government

Netlogon Elevation of Privilege Vulnerability affecting Domain Controllers

Reference: 
Advisory #2020-030
Version: 
1.0
Affected software: 
Windows Server 2008 R2 for x64-based Systems Service Pack
Windows Server 2012
Windows Server 2012 R2
Windows Server 2016
Windows Server 2019
Windows Server, version 1903
Windows Server, version 1909
Windows Server, version 2004
Type: 
Authentication Bypass, Denial of Service (DoS)
CVE/CVSS: 

CVE-2020-1472 - CVSSv3 10

Sources

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2...
https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-chang...
https://www.kaspersky.com/blog/cve-2020-1472-domain-controller-vulnerabi...
https://www.tenable.com/cve/CVE-2020-1472

Risks

An unauthenticated attacker with network access can impersonate a domain controller or a computer within the domain.
This gives the attacker some possibilities, among which, changing the password of the Active Directory computer account for an empty password on the domain controller leading to a denial of service and potentially gaining administrator privileges on the domain.

Description

Microsoft Windows Netlogon Remote Protocol (MS-NRPC) is an authentication component of the Active Directory that authenticates users and computer accounts. It uses a known zero-value initialization vector in AES-CFB8 mode.
When encrypting a message consisting of only zeroes with a zero initialization vector, there is a 1 in 256 chance an attacker can successfully authenticate as any domain-joined computer. This allows impersonation of Domain Controllers and makes it possible for an attacker to change the Active Directory password and potentially gain domain administrator privileges.

To abuse this vulnerability an attacker will first need an access to the corporate network.

Recommended Actions

CERT.be recommends installing all latest updates for the affected Windows versions, they can be found on the official Microsoft Portal.