Zerologon (CVE-2020-1472) detection, patching and monitoring

A quick post to describe CVE-2020-1472 is a Critical security flaw, christened as “Zerologon”, in Windows Domain controllers, along with exploitation, detection and remediation steps.

Introduction

The last week has been busy for Windows administrators all around the world applying patches, setting up monitoring and discussing CVE-2020-1472, a CVSS 10 rated Critical remotely exploitable privilege escalation vulnerability in Microsoft Windows’ Netlogon authentication process. Popularly known as “Zerologon”, the vulnerability was discovered by the security firm Secura who published a technical paper describing the vulnerability.

Successful exploitation of the ‘Zerologon’ bug by attackers that can establish a network connection to the Netlogon RPC interface of a vulnerable domain controller allows for a full compromise of the machine and the entire domain from there on. Several Proof of Concept exploitation scripts and tools have already released.

Detection and Exploitation and Patching

Several detection scripts have now been released with the first being the one by the Secura team. Tenable Nessus, Qualys and other leading vulnerability scanners have added in checks for detection. Additionally, Metasploit will soon have a working auxiliary, along with mimikatz and other PoCs coming up on Github every other day that can be run by attackers out of the box to gain Domain Administrator privileges!

It is speculated that the exploit code could very soon be woven into malware and ransomware that could then be used to infect networks to gain access to data and systems.

Microsoft is fixing this in two phases with the Initial Deployment Phase already started with updates released on August 11, 2020. The Enforcement Phase will begin on February 9th 2021 and will require all Windows and non-Windows devices to use secure RPC with Netlogon secure channel or explicitly allow the account by adding an exception for the non-compliant device through the “Domain controller: Allow vulnerable Netlogon secure channel connections” group policy.

You can download the patches for the Initial Deployment Phase for your version of Windows Server from https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472

The most common form of the exploitation PoCs that we have seen changes the domain controller account password to an empty string that is then used to get NTLM hashes from the AD database (ntds.dit) using secretsdump.py or execute commands using tools like wmiexec.py or psexec.py (all tools from the Impacket library). Additionally, attackers could also use the initial access to the DC to obtain the hash of the krbtgt account to create golden tickets that give access to the DC environment even after the patches are in place and passwords have been changed!

What can I do next?

1. Identify if you are running a vulnerable Domain Controller by looking at the table at https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-1472 under “Security Updates”
2. Apply necessary patches as prescribed by Microsoft
3. If all devices on your network are compliant and support RPC with Netlogon secure channel then enable the “Enforcement Mode” to disallow devices from connecting insecurely to the DC. This can be done by setting the “FullSecureChannelProtection” DWORD to 1 at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters after the patch has been applied on the DC.
4. You can monitor patched DCs for event ID 5829 events to identify non-compliant devices attempting to logon over insecure Netlogon channels. Microsoft provides a script that you can customise for your environment.
5. If patching immediately is not possible then you can monitor event ID 4662 being triggered multiple times in a short period with GUID {1131f6aa-9c07–11d1-f79f-00c04fc2dcd2} and/or {19195a5b-6da0–11d0-afd3–00c04fd930c9} to detect any exploitation attempts.
6. Also log and alert on event IDs 4742 and 4662 as these are indicators that a type “NT Authority” (ANONYMOUS LOGON account) modified an attribute on the DC (a password reset) and an operation was performed (DCSync to grab password hashes) respectively, indicating a successful compromise.
7. To check if you are safe, use the PoC at https://github.com/SecuraBV/CVE-2020-1472. The python script clearly tells you if the system is patched and protected or not.

Affected products

• Windows Server 2008 R2 for x64-based Systems Service Pack 1
• Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
• Windows Server 2012
• Windows Server 2012 (Server Core installation)
• Windows Server 2012 R2
• Windows Server 2012 R2 (Server Core installation)
• Windows Server 2016
• Windows Server 2016 (Server Core installation)
• Windows Server 2019
• Windows Server 2019 (Server Core installation)
• Windows Server, version 1903 (Server Core installation)
• Windows Server, version 1909 (Server Core installation)
• Windows Server, version 2004 (Server Core installation)

References

• https://www.secura.com/pathtoimg.php?id=2055
• https://github.com/SecuraBV/CVE-2020-1472
• https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472
• https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc

‍