Netlogon Privilege Escalation Vulnerability (CVE-2020-1472) Handling Guide

Netlogon Privilege Escalation Vulnerability (CVE-2020-1472) Handling Guide

October 2, 2020 | Mina Hao

1.  Vulnerability Description

Recently, NSFOCUS detected that the foreign security company Secura disclosed detailed information and validation scripts about the Netlogon privilege escalation vulnerability (CVE-2020-1472), which increases vulnerability risks abruptly. Exploitation of this vulnerability requires a computer on the same local area network (LAN) as the target. When using the Netlogon Remote Protocol (MS-NRPC) to establish a secure channel connection to a domain controller, an unauthenticated attacker could exploit the vulnerability to obtain domain administrator access. The vulnerability was disclosed by Microsoft in its August 2020 security updates. With a CVSS base score of 10, it has an extensive impact. At present, EXP has been made public on the Internet. Affected users are advised to take preventive measures as soon as possible.

Netlogon is a service used to register all SRV resource records for domain controllers in Windows. It authenticates users and machines on intra-domain networks and replicates databases for domain control backup. It is also used to maintain the relationships between domain members and domains, between domains and domain control, and between domain DC and cross-domain DC.

NSFOCUS reproduced the vulnerability shortly after it was reported:

Reference link:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472

2. Scope of Impact

Affected versions

  • Windows Server 2008 R2 for x64-based Systems Service Pack 1
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
  • Windows Server 2012
  • Windows Server 2012 (Server Core installation)
  • Windows Server 2012 R2
  • Windows Server 2012 R2 (Server Core installation)
  • Windows Server 2016
  • Windows Server 2016 (Server Core installation)
  • Windows Server 2019
  • Windows Server 2019 (Server Core installation)
  • Windows Server, version 1903 (Server Core installation)
  • Windows Server, version 1909 (Server Core installation)
  • Windows Server, version 2004 (Server Core installation)

3. Check for the Vulnerability

  • Tool-based Verification

Secura has uploaded verification scripts at GitHub. Relevant users can use the tool for check:

https://github.com/SecuraBV/CVE-2020-1472

The result of checking the affected system (Windows Server 2012 R2) is as follows:

  • Detection with NSFOCUS Products

NSFOCUS Remote Security Assessment System (RSAS), Network Intrusion Detection System (NIDS), and Unified Threat Sensor (UTS) are capable of scanning and detecting the vulnerability. Please upgrade them to the latest versions.

ProductVersionDownload Link
RSAS V6 system plug-in packageV6.0R02F01.1917http://update.nsfocus.com/update/downloads/id/108456
IDS5.6.9.23542http://update.nsfocus.com/update/downloads/id/108464
5.6.10.23542http://update.nsfocus.com/update/downloads/id/108465
UTS5.6.10.23542http://update.nsfocus.com/update/downloads/id/108469

For how to upgrade NSFOCUS RSAS, click the following link:

https://mp.weixin.qq.com/s/aLAWXs5DgRhNHf4WHHhQyg

4. Mitigation

  • Official Fix

Currently, Microsoft has released security updates to fix the preceding vulnerability in product versions supported by Microsoft. Affected users should apply these updates as soon as possible. These updates are available at the following link:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472

Note: Windows Update may fail due to network and computer environment problems. Therefore, users are advised to check whether the patches are successfully updated immediately after installation.

Please right-click the Windows icon, select Settings (N), choose System and Security > Windows Update, and view the prompt message on the page. Alternatively, please view historical updates by clicking the View update history button.

If some updates cannot be successfully installed, please click the update names to jump to Microsoft’s download page. Users are advised to click the links on the page to visit the “Microsoft Update Catalog” website to download and install independent packages.

  • Other Protection Measures

After installing and updating the patches, you can also deploy the domain controller (DC) enforcing mode to be free from the vulnerability:

Please refer to the official document “How to Manage the Changes in Netlogon Secure Channel Connections Concerning CVE-2020-1472” for configuration:

https://support.microsoft.com/zh-cn/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc
  • Protection with NSFOCUS Products

NSFOCUS Network Intrusion Protection System (NIPS) has released related rules to defend against this vulnerability. Users are advised to update the rule base to the latest version to ensure that the security product can effectively protect against this vulnerability. The following table lists the rule base version of security products.

ProductRule Base VersionDownload Link
IPS5.6.9.23542http://update.nsfocus.com/update/downloads/id/108464
5.6.10.23542http://update.nsfocus.com/update/downloads/id/108465

For how to update product rules, click the following link:

IPS: https://mp.weixin.qq.com/s/JsRktENQNj1TdZSU62N0Ww

  • Monitoring with NSFOCUS Platform

NSFOCUS Enterprise Security Platform (ESP-H) is capable of monitoring the vulnerability. Relevant users can monitor vulnerabilities via the platform.

Security PlatformUpgrade Package/Rule Base Version
NSFOCUS Enterprise Security Platform (ESP-H)Use the latest rule base upgrade package ESP-EVENTRULE-013-20200915

Statement

This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.

About NSFOCUS

NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide multi-layered, unified and dynamic protection against advanced cyber attacks.

NSFOCUS works with Fortune Global 500 companies, including four of the world’s five largest financial institutions, organizations in insurance, retail, healthcare, critical infrastructure industries as well as government agencies. NSFOCUS has technology and channel partners in more than 60 countries, is a member of both the Microsoft Active Protections Program (MAPP), and the Cloud Security Alliance (CSA).

A wholly owned subsidiary of NSFOCUS Technologies Group Co., Ltd., the company has operations in the Americas, Europe, the Middle East and Asia Pacific.