Alert - Microsoft Netlogon Elevation of Privilege Vulnerability - CVE-2020-1472 - update 1

Number: AL20-022 UPDATE 1
Date: 16 September 2020
Updated: 24 September 2020

AUDIENCE

This Alert is intended for IT professionals and managers of notified organizations.

PURPOSE

An Alert is used to raise awareness of a recently identified cyber threat Cyber threatA threat actor, using the internet, who takes advantage of a known vulnerability in a product for the purposes of exploiting a network and the information the network carries. that may impact cyber information assets, and to provide additional detection DetectionThe monitoring and analyzing of system events in order to identify unauthorized attempts to access system resources. and mitigation advice to recipients.  The Canadian Centre for Cyber Security Cyber securityThe protection of digital information, as well as the integrity of the infrastructure housing and transmitting digital information. More specifically, cyber security includes the body of technologies, processes, practices and response and mitigation measures designed to protect networks, computers, programs and data from attack, damage or unauthorized access so as to ensure confidentiality, integrity and availability. ("Cyber Centre") is also available to provide additional assistance regarding the content of this Alert to recipients as requested.

OVERVIEW

The Cyber Centre has become aware of recently published proofs of concept exploit code related to CVE-2020-1472, a Netlogon elevation of privilege vulnerability VulnerabilityA flaw or weakness in the design or implementation of an information system or its environment that could be exploited to adversely affect an organization's assets or operations. . The Cyber Centre strongly recommends that organizations immediately patch vulnerable systems.

UPDATE

On 23 September 2020 Microsoft reported [4] that CVE-2020-1472 is being actively exploited by malicious actors. Organizations that have not already updated affected systems should patch immediately and review for indicators of compromise CompromiseThe intentional or unintentional disclosure of information, which adversely impacts its confidentiality, integrity, or availability. (IOC). Several IOCs are supplied below in the INDICATORS OF COMPROMISE section.

Proofpoint has released a Suricata Intrusion Detection Intrusion detectionA security service that monitors and analyzes network or system events to warn of unauthorized access attempts. The findings are provided in real-time (or near real-time). System (IDS) signature [5] to assist in the identification of exploitation attempts.

On 18 September 2020 the Samba Team published an advisory [6] confirming that certain versions of Samba, when configured as a domain controller, are also vulnerable to CVE-2020-1472.

DETAILS

On 11 August 2020 Microsoft published Security Updates to address vulnerabilities in multiple products [1], including an update for a critical privilege escalation vulnerability [2]. Tracked as CVE-2020-1472 the exploit occurs when establishing a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol.

Exploitation of this vulnerability could allow a malicious actor with local network access to escalate privileges to a domain administrator level.

Microsoft is addressing this vulnerability using a two phased approach that is outlined in the below referenced Microsoft Guidelines [3].

SUGGESTED ACTION

The Cyber Centre recommends that organizations immediately install the latest security updates from Microsoft.

INDICATORS OF COMPROMISE

Microsoft has supplied the following sample exploit IOCs (SHA-256):

b9088bea916e1d2137805edeb0b6a549f876746999fbb1b4890fb66288a59f9d
24d425448e4a09e1e1f8daf56a1d893791347d029a7ba32ed8c43e88a2d06439
c4a97815d2167df4bdf9bfb8a9351f4ca9a175c3ef7c36993407c766b57c805b

REFERENCES

[1] Cyber Centre Advisory AV20-323:
https://cyber.gc.ca/en/alerts/microsoft-security-advisory-september-2020-monthly-rollup 

[2] Microsoft Advisory - CVE-2020-1472 Netlogon Elevation of Privilege Vulnerability:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472

[3] Microsoft Guidelines - How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472:
https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc

UPDATE: [4] Microsoft Security Intelligence (@MsftSecIntel):
https://twitter.com/MsftSecIntel/status/1308941504707063808

UPDATE: [5] 2030871 ET EXPLOIT Possible Zerologon NetrServerAuthenticate with 0x00 Client Credentials (CVE-2020-1472)
https://rules.emergingthreats.net/open/suricata-5.0/emerging-all.rules

UPDATE: [6] Unauthenticated domain takeover via netlogon ("ZeroLogon"):
https://www.samba.org/samba/security/CVE-2020-1472.html
 
NOTE TO READERS
The Canadian Centre for Cyber Security (Cyber Centre) operates as part of the Communications Security Establishment.  We are Canada's national authority on cyber security and we lead the government's response to cyber security events. As Canada's national computer security incident response team, the Cyber Centre works in close collaboration with government departments, critical infrastructure Critical infrastructureProcesses, systems, facilities, technologies, networks, assets, and services essential to the health, safety, security, or economic well-being of Canadians and the effective functioning of government. Critical infrastructure can be stand-alone or interconnected and interdependent within and across provinces, territories, and national borders. Disruptions of critical infrastructure could result in catastrophic loss of life, adverse economic effects, and significant harm to public confidence. , Canadian businesses and international partners to prepare for, respond to, mitigate, and recover from cyber events. We do this by providing authoritative advice and support, and coordinating information sharing and incident response. The Cyber Centre is outward-facing, welcoming partnerships that help build a stronger, more resilient cyber space in Canada.