October 01, 2020 | By Michael Wainshtain Technical Team Leader
A new vulnerability was detected that can cause unwanted elevation of privileges, an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploits the vulnerability can run a specially crafted code on the affected domain controller. Please consider the following Detection, Mitigation, and Remediation Actions:
- Detection – Create the recommended monitoring rules mentioned in phase “Detection & Mitigation”
- Detection \ Mitigation – Enable attack signatures on relevant security products
- Remediation – Follow the workflow mentioned bellow to update the relevant patch and perform the remediation process
The exploitation of this vulnerability is possible due to a flaw in the implementation of the Netlogon protocol encryption, specifically AES-CFB8. In short, Due to incorrect use of an AES mode of operation, it is possible to spoof the identity of any computer account (including that of the DC itself) and set an empty password for that account in the domain. This process looks like a “brute force” attack against the AES challenge presented by the domain controller. The minimum number of tries observed is 22, and the maximum is under 2000.
In order to exploit the vulnerability, an attacker with a foothold on a device that exists in the network and has TCP access to a domain controller will run a specially crafted application in order to execute code on the domain controller without authentication.
- This vulnerability does not require authentication and can be exploited from any device that has TCP network access to the domain. In our simulations, it took less than 3 minutes to execute code on a domain controller, dump user credentials, and take over the entire windows domain.
- POC’s of this exploit already exists ITW (in the wild), python, and PowerShell POC’s are the most commonly We were able to find a CVE-2020-1472 that performs a TEST to check if the DC is vulnerable.
- Microsoft has confirmed that real-world cyber-criminal activity is coalescing around the highly dangerous vulnerability and warned users who have not yet patched it to do so as a matter of extreme
- There is a newly discovered technique to exploit this vulnerability without resetting the domain controller computer account, this DOES require exploiting another bug in the print spooler. The print spooler service must be running on the Domain controller in order to exploit the vulnerability without resetting the Domain Controller computer account.
Detection & Mitigation
This security update addresses the vulnerability by enforcing secure RPC when using the net logon secure channel in a phased release explained in the Updates section.
To provide AD forest protection, all DCs, must be updated since they will enforce secure RPC with net logon secure channel. This includes read-only domain controllers (RODC).
TSOC MDR will provide alternative ways to monitor and mitigate the risk until the security update can be safely applied to Domain Controllers.
- Perform the necessary updates based on Microsoft KB (can be found below)
- Verify AV\EPP product installed on the DC has performed definition updates and has a relevant detection\blocking
- Verify that Network IPS\IDS protecting the DC has performed definition updates and has a relevant detection\blocking
- Monitor for existing event ID’s:
- Every Domain controller account reset should be investigated if it is not expected, e.g.
- You have a GPO to reset the DC account every 30 days, if you see a reset event and the previous one occurred less than 30 (GPO configured interval), this should be
- You do not have a GPO to reset DC accounts and you see an unexpected reset event, this should be
- The reset event is event 4742 with the following attributes: Security ID: ANONYMOUS LOGON, Account Name: ANONYMOUS LOGON, Account Domain: NT AUTHORITY Please note: This Audit configuration must be enabled on Computer Account via GPO prior to the event. Expected and legit reset accounts might have these values as well.
- Monitor for existing event ID’s:
Microsoft is addressing this vulnerability in a phased rollout.
- Phase 1: The initial deployment phase starts with the Windows updates released on August 11, The updates will enable the Domain Controllers (DCs) to protect Windows devices by default, log events for non-compliant device discovery, and have the option to enable protection for all domain-joined devices with explicit exceptions.
- Enforces secure RPC usage for machine accounts on Windows-based
- Enforces secure RPC usage for trust
- Enforces secure RPC usage for all Windows and non-Windows
- Includes a new group policy to allow non-compliant device accounts (those that use vulnerable Netlogon secure channel connections). Even when DCs are running in enforcement mode or after the Enforcement phase starts, allowed devices will not be refused
- FullSecureChannelProtection registry key to enable DC enforcement mode for all machine accounts (enforcement phase will update DCs to DC enforcement mode).
- Includes new events when accounts are denied or would be denied in the DC enforcement mode (and will continue in the Enforcement phase). The specific event IDs are explained later in this article.
According to Microsoft advisory, the first phase will make the DC and connecting clients to work in Secure RCP (the vulnerability does not work with this flow), device that cannot communicate over Secure RPC will be granted access and will be logged:
- Log event IDs 5827 and 5828 in the System event log, if connections are
- Log event IDs 5830 and 5831 in the System event log, if connections are allowed by “Domain controller: Allow vulnerable Netlogon secure channel connections” group policy.
- Log event ID 5829 in the System event log whenever a vulnerable Netlogon secure channel connection is
These events should be addressed before the DC enforcement mode is configured or before the enforcement phase starts on February 9, 2021.
The affected organization will need to make sure all network devices (windows and other OS’) are updated to work with Secure RPC (when possible) or added to the GPO exception configuration to allow them to work in non-Secure RPC.
- Phase 2: Deploy February 9, 2021 updates (Q1 2021)
Deploying updates released February 9, 2021, or later will turn on DC enforcement mode. DC enforcement mode is when all Netlogon connections are either required to use secure RPC or the computer accounts must have been added to the “Domain controller: Allow vulnerable Netlogon secure channel connections” group policy.
To protect your environment and prevent outages, you must do the following:
- UPDATE your Domain Controllers with an update released August 11, 2020, or
- FIND which devices are making vulnerable connections by monitoring event
- ADDRESS non-compliant devices making vulnerable
- ENABLE enforcement mode to address CVE-2020-1472 in your environment.
This is a critical vulnerability that needs to be addressed ASAP, we assume that this vulnerability will be used by a variety of adversaries to compromise Windows Server domain controllers. The ease and limitless approach of this exploit hold a great advantage for threat actors POV.
TSOC MDR highly recommends addressing this vulnerability and follow vendor recommendations to contain & mitigate the risk.
we will be glad to answer any questions or inquiries TSOC customers may have.
Microsoft advisory regarding CVE-2020-1472
Links for security updates and workarounds:
For more technical information about the vulnerability, see the following articles: https://support.microsoft.com/en-us/help/4557233/script-to-help-in-monitoring-event-ids-related-to-changes-in- netlogon
Stay Safe with TrustNet!