CVE-2020-1472 “Zerologon” Critical Privilege Escalation critical vulnerability

Description:
An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC), aka ‘Netlogon Elevation of Privilege Vulnerability’.

The prime elements of this vulnerability are the weak encryption standards and the authentication process used in the Netlogon protocol. As new Windows Domain Controllers use standard AES-256 as encryption standards, incorrect use of the AES mode results in spoofing the identity of any computer (DC) account and replace it with all zeroes or empty passwords. As the final output replaces all characters of the password with zeroes, this bug is also well-known as “Zerologon”.

Severity: 10.0 CRITICAL

Impact:
After successfully exploiting this vulnerability, attackers are able to elevate their privileges to a domain administrator and take over a domain.

Affected Products:

Windows Servers 2008
Windows Servers 2012 R2
Windows Servers 2016
Windows Servers 2019

For full list please visit: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472

Patch:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472

https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc

Reference:
https://www.secura.com/blog/zero-logon

https://www.secura.com/pathtoimg.php?id=2055

https://nvd.nist.gov/vuln/detail/CVE-2020-1472

https://blog.qualys.com/vulnerabilities-research/2020/09/15/microsoft-netlogon-vulnerability-cve-2020-1472-zerologon-automatically-discover-prioritize-and-remediate-using-qualys-vmdr

https://www.bleepingcomputer.com/news/microsoft/windows-zerologon-poc-exploits-allow-domain-takeover-patch-now/