Technical Insights > Network Visibility + Security

CVE-2020-1472 ZeroLogon Alert: ‘Critical’ Windows Vulnerability Needs Your Attention

2020-09-23  |  7 min read 

By Achute Sharma  |  MS Windows Domain Controllers have a remotely exploitable vulnerability that needs your immediate attention. You can patch now or test your defenses to assure you can defend against an attack. You must act now, and this blog will help you understand why.

CVE-2020-1472 aka “ZeroLogon” is a privilege escalation vulnerability affecting Windows Domain Controllers using the Netlogon Remote Protocol (MS-NRPC), which was addressed by Microsoft as a part of the August Patch Tuesday rollout. This vulnerability received a critical score of 10 according to NVD using the common vulnerability scoring system (CVSS 3.1).

The details regarding the vulnerability were published by the researchers at Secura on September 11, 2020, which was followed by a proof of concept (PoC) soon after. Integrations with other exploitation frameworks such as mimikatz and cobalt strike followed quickly and are quickly growing. This was followed by a warning from various organizations, including an Alert and Emergency Directive from the Department of Homeland Security (DHS) Cybersecurity & Infrastructure Security Agency (CISA) to patch all the vulnerable systems.

The exploitation of this vulnerability allows a remote—on the same local area network (LAN) or an exposed domain controller (DC) on the internet—unauthenticated attacker to impersonate the identity of any machine on a network when attempting to authenticate to the DC. The spoofed identity allows the attacker to set an empty password for that machine in the domain. Once the attacker sets an empty password, they can now perform the DCsync attack and become the domain admin. The attacker now has full access, resulting in the complete takeover of a Windows domain. With this access, they can pivot to other nodes connected to the domain with administrative access.

Vulnerability Details

The core vulnerability as described in the Secura whitepaper lies in the improper implementation of the ComputeNetlogonCredential function in the NetLogon protocol, which uses the AES-CFB8 encryption algorithm.

AES-CFB8 encryption algorithm normal operation looks like this:

ZeroLogon1

In this scenario, a random IV vector is used, and it results in a different ciphertext for a given plain text.

However, according to the Microsoft documentation of the NetLogon Protocol, section 3.1.4.4.1 states that a “zero initialization vector” is used.

Below is a screenshot of the MS-NRPC documentation.

ZeroLogon2

This effectively results in a situation that looks like:

ZeroLogon3

For all-zero IV vector, if we supply all-zero plain text then we could get an all-zero ciphertext. The assumption here is that the first AES encryption results in an output with the first byte as 00. Since each bit has a 50-50 chance of being either a 1 or 0:

P(0bit)=1/2 for a single bit the probability of it being 0.

For 8 bits, the probability would be P(0byte)=1/2*1/2*1/2*1/2*1/2*1/2*1/2*1/2=1/256

So, for 1 in every 256 operations, the output of the AES encryption first byte would be a 00 byte.

Once we have this, the rest follows resulting in a ciphertext of all-zeros.

The researchers then used this knowledge to perform the following:

  1. Send Client Challenge of 0000000000000000
    Zerologon4
     
  2. After receiving the ServerChallenge; send the computed Client Credential as 0000000000000000
    Zerologon5
     
  3. Perform the above steps for a maximum attempt of 256 times until a success response is received from the server.
    Zerologon6
     
  4. Finally set the password using the NetrServerPasswordSet2
    Zerologon7
     

The overall process can be represented as below: (Source: Secura whitepaper)

ZeroLogon8

Why Immediate Testing and Patching is Important

This vulnerability can be exploited by any remote attacker who can create a TCP connection with the victim DC. That means the attacker does not need to compromise any other domain-joined computers first. They can directly compromise the DC from anywhere in the local network and become the domain admin.

After becoming a domain admin, the attacker can do a vast amount of damage including but not limited to:

  1. Changing the password of other domain-joined users and computers
  2. Pivoting to other computers with full administrative access
  3. Maintaining long-term persistence and hiding

A total compromise of a windows domain can be done, hence patching and testing is important. Here are actions you can take today:

Patch: Head over to the Microsoft website:  Patch Tuesday of August 2020

Test: If your Domain Controller is vulnerable test it with this PoC script

Track/Protect: If patching is not a viable option, then track and protect using inline devices such as a firewall or intrusion detection system to detect and stop such attacks.

Comprehensive, Ongoing Validation: Use BreakingPoint and the other Keysight Application and Threat Intelligence (ATI) products to test your devices for this vulnerability. Included in the latest strike pack, our implementation uses randomly generated values wherever possible, so each run of the exploit is different. BreakingPoint also has a wide range of other attacks and normal application flows that you can send together over the wire, allowing for more robust testing of the DUT.

Leverage Subscription Service to Stay Ahead of Attacks

Keysight's Application and Threat Intelligence (ATI) Subscription provides daily malware and bi-weekly updates of the latest application protocols and vulnerabilities for use with Ixia test platforms. The ATI Research Center continuously monitors threats as they appear in the wild. Customers of BreakingPoint have now access to attack campaigns for different advanced persistent threats, allowing them to test their currently deployed security controls’ ability to detect or block such attacks.

Recommended Further Reading