Alert - Microsoft Netlogon Elevation of Privilege Vulnerability - CVE-2020-1472 - update 1

Number: AL20-022 UPDATE 1
Date: 16 September 2020
Updated: 24 September 2020

AUDIENCE

This Alert is intended for IT professionals and managers of notified organizations.

PURPOSE

An Alert is used to raise awareness of a recently identified cyber threat that may impact cyber information assets, and to provide additional detection and mitigation advice to recipients.  The Canadian Centre for Cyber Security ("Cyber Centre") is also available to provide additional assistance regarding the content of this Alert to recipients as requested.

OVERVIEW

The Cyber Centre has become aware of recently published proofs of concept exploit code related to CVE-2020-1472, a Netlogon elevation of privilege vulnerability. The Cyber Centre strongly recommends that organizations immediately patch vulnerable systems.

UPDATE

On 23 September 2020 Microsoft reported [4] that CVE-2020-1472 is being actively exploited by malicious actors. Organizations that have not already updated affected systems should patch immediately and review for indicators of compromise (IOC). Several IOCs are supplied below in the INDICATORS OF COMPROMISE section.

Proofpoint has released a Suricata Intrusion Detection System (IDS) signature [5] to assist in the identification of exploitation attempts.

On 18 September 2020 the Samba Team published an advisory [6] confirming that certain versions of Samba, when configured as a domain controller, are also vulnerable to CVE-2020-1472.

DETAILS

On 11 August 2020 Microsoft published Security Updates to address vulnerabilities in multiple products [1], including an update for a critical privilege escalation vulnerability [2]. Tracked as CVE-2020-1472 the exploit occurs when establishing a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol.

Exploitation of this vulnerability could allow a malicious actor with local network access to escalate privileges to a domain administrator level.

Microsoft is addressing this vulnerability using a two phased approach that is outlined in the below referenced Microsoft Guidelines [3].

SUGGESTED ACTION

The Cyber Centre recommends that organizations immediately install the latest security updates from Microsoft.

INDICATORS OF COMPROMISE

Microsoft has supplied the following sample exploit IOCs (SHA-256):

b9088bea916e1d2137805edeb0b6a549f876746999fbb1b4890fb66288a59f9d
24d425448e4a09e1e1f8daf56a1d893791347d029a7ba32ed8c43e88a2d06439
c4a97815d2167df4bdf9bfb8a9351f4ca9a175c3ef7c36993407c766b57c805b

REFERENCES

[1] Cyber Centre Advisory AV20-323:
https://cyber.gc.ca/en/alerts/microsoft-security-advisory-september-2020-monthly-rollup 

[2] Microsoft Advisory - CVE-2020-1472 Netlogon Elevation of Privilege Vulnerability:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472

[3] Microsoft Guidelines - How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472:
https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc

UPDATE: [4] Microsoft Security Intelligence (@MsftSecIntel):
https://twitter.com/MsftSecIntel/status/1308941504707063808

UPDATE: [5] 2030871 ET EXPLOIT Possible Zerologon NetrServerAuthenticate with 0x00 Client Credentials (CVE-2020-1472)
https://rules.emergingthreats.net/open/suricata-5.0/emerging-all.rules

UPDATE: [6] Unauthenticated domain takeover via netlogon ("ZeroLogon"):
https://www.samba.org/samba/security/CVE-2020-1472.html
 
NOTE TO READERS
The Canadian Centre for Cyber Security (Cyber Centre) operates as part of the Communications Security Establishment.  We are Canada's national authority on cyber security and we lead the government's response to cyber security events. As Canada's national computer security incident response team, the Cyber Centre works in close collaboration with government departments, critical infrastructure, Canadian businesses and international partners to prepare for, respond to, mitigate, and recover from cyber events. We do this by providing authoritative advice and support, and coordinating information sharing and incident response. The Cyber Centre is outward-facing, welcoming partnerships that help build a stronger, more resilient cyber space in Canada.

Date modified: