Netlogon Elevation of Privilege Vulnerability affecting Domain Controllers
CVE-2020-1472 - CVSSv3 10
Sources
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2...
https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-chang...
https://www.kaspersky.com/blog/cve-2020-1472-domain-controller-vulnerabi...
https://www.tenable.com/cve/CVE-2020-1472
Risks
An unauthenticated attacker with network access can impersonate a domain controller or a computer within the domain.
This gives the attacker some possibilities, among which, changing the password of the Active Directory computer account for an empty password on the domain controller leading to a denial of service and potentially gaining administrator privileges on the domain.
Description
Microsoft Windows Netlogon Remote Protocol (MS-NRPC) is an authentication component of the Active Directory that authenticates users and computer accounts. It uses a known zero-value initialization vector in AES-CFB8 mode.
When encrypting a message consisting of only zeroes with a zero initialization vector, there is a 1 in 256 chance an attacker can successfully authenticate as any domain-joined computer. This allows impersonation of Domain Controllers and makes it possible for an attacker to change the Active Directory password and potentially gain domain administrator privileges.
To abuse this vulnerability an attacker will first need an access to the corporate network.
Recommended Actions
CERT.be recommends installing all latest updates for the affected Windows versions, they can be found on the official Microsoft Portal.