CVE-2020-1472
Discovered: Patched by Microsoft on August’s Patch Tuesday. Disclosed on September 11. Multiple public exploits available at the time of patching.
Impacted tech: Cryptography of Netlogon protocol
Attacker Location: Compromised internal computer
Highlights: Unbelievably easy to exploit
Leet was recently made aware of a critical vulnerability in Netlogon’s cryptography. The technical details were disclosed by Secura on September 11, but the vulnerability was patched on August 11 (Patch Tuesday).
CVE-2020-1472 (dubbed Zerologon) allows an attacker to elevate to change the computer account password of any domain connected computer from their initial foothold on an internal network, so long as the compromised machine can connect to the target machine. Secura states that “by forging an authentication token for specific Netlogon functionality, [attackers are] able to call a function to set the computer password of the Domain Controller [or any other computer] to a known value. After that, the attacker can use this new password to take control over the domain controller and steal credentials of a domain admin.”
There are multiple publicly available exploits and tools to check if you’re vulnerable.
This repository has a PoC and a restoration script to restore the domain controller password.
https://github.com/dirkjanm/CVE-2020-1472
What should I do?
Deploy the patch from August 11
References:
Secura’s Blog Post & Whitepaper:
https://www.secura.com/blog/zero-logon
https://www.secura.com/pathtoimg.php?id=2055
Microsoft’s Advisory (outdated at the time of this writing, rated as “Exploitation Less Likely” because there were no publicly available exploits when it was written on August 11).
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472
Vulnerability Alert 