When CVE-2020-1472 was released on Aug 11, 2020, Microsoft addressed a critical remote code execution vulnerability targeting how the Netlogon secure channel is used. This patch is being released in two separate parts. On Aug 11, the patch addressed the initial deployment that covered:
The second half of this deployment will take place beginning with the February 9 security update. During this update, the DC (domain controller) enforcement mode will be enabled by default on all devices.
The Remote Code Execution category of vulnerabilities are almost always critical priority, especially those that need no authentication. The Netlogon Remote Protocol (MS-NRPC) is used by AD (Active Directory) domains and includes an authentication method as well as the ability to create a Netlogon secure channel. The exploit takes advantage of this authentication and allows the escalation of privileges. The attacker can impersonate the machine account and set a known or empty password for the account.
This attack can be used to obtain full domain administrator privileges, specifically with the spoofing of the domain controller computer account, leading to a full compromise of the domain. There are several proof of concepts out for this attack currently.
There are four steps recommended by Microsoft as well as changes we’ve made to help:
From within Blumira, as long as domain controllers are sending System event logs, you can select the global report named “Netlogon Secure Channel Connections” to see if there are any impacted devices still using the insecure channels. We’ve also created a High-Priority Risk finding called “Netlogon Secure Channel Connection Vulnerability Detected.”
Any Windows Server 2012 and above devices are impacted.
Additional Resources:
To help organizations running Microsoft environments, our guide gives you practical, step-by-step Windows tips to significantly improve your visibility into malicious activity. Download our Guide to Microsoft Security.
