Critical Zerologon Vulnerability Threat Intel Advisory

CloudSEK Threat Intelligence Advisory on Zerologon vulnerability tracked as CVE-2020-1472, rated as critical with a CVSS score of 10
Updated on
February 27, 2023
Published on
September 25, 2020
Read time
Subscribe to the latest industry news, technologies and resources.
Zerologon is a critical privilege escalation vulnerability affecting all Windows Server versions after hijacking its Domain Controllers (DC) in the Active Directory environment of an enterprise. A flaw in a cryptographic authentication scheme used by the Netlogon Remote Protocol (AES-CFB8)  is responsible for this specific vulnerability. The Netlogon Remote Protocol (NRPC) is a Remote Procedure Call (RPC) interface available on Windows Domain Controllers. It is used for various tasks such as to authenticate user and machine connections, most commonly to allow users to log in to servers using the New Technology LAN Manager (NTLM) protocol. To trigger this vulnerability multiple Netlogon messages are sent to the Domain Controller, in which various fields are filled with zeroes. This leads to a complete takeover of the target Domain Controller. The attacker does not even require user credentials to initiate the attack.[/vc_wp_text][vc_wp_text]

Impact Analysis 

  • The attacker can change the computer password of the domain controller, once access is established.
  • This can then be used to obtain domain admin credentials which is used to restore the original DC password.
  • Zerologon allows an attacker to dump all user hashes into the target domain, including the hash of the KRBTGT account, which in turn induces a Golden Ticket attack.
  • Domain access to all verticals leading to complete takeover of the company infrastructure.
  • Loss of client, business-sensitive data.
  • Loss of reputation, goodwill and revenue shares.
  • Massive financial losses, sprawling lawsuits. 

 Preventive Measures

  • The patch released in August 2020 addresses CVE-2020-1472.
  • Domain Controllers (both back-up and read-only) must install aforementioned patches.
  • Deploy Domain Controller (DC) enforcement mode, which requires all Windows and non-Windows devices to use secure NRPC or to explicitly allow the account by adding an exception for any non-compliant device.

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Related Intelligence Posts
No items found.