Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

SECURITY ALERT: Microsoft Windows Server "Zerologon" Netlogon Elevation of Privilege Vulnerability (CVE-2020-1472)

    • Updated:
    • 23 Sep 2020
    • Product/Version:
    • Apex One All
    • Apex One as a Service
    • Cloud One - Workload Security All
    • Deep Security All
    • Deep Security As A Service
    • TippingPoint Digital Vaccine
    • TippingPoint ThreatDV
    • Vulnerability Protection All
    • Platform:
Summary
Updated on September 17, 2020 to add new coverage (rules) and additional link to video in references.

On September 11, 2020, detailed technical information was made public regarding a critical Microsoft Windows vulnerability (CVSS 10) that was included in Microsoft's August 2020 Patch Tuesday set of updates and appears to affect all currently supported Windows Server (2008 R2 and above).

When originally disclosed in August, the vulnerability was given the official designation of CVE-2020-1472 , but not much detail on the vulnerability itself was made public.    

However, we know that this vulnerability, now dubbed "Zerologon," may allow an attacker to take advantage of the cryptographic algorithm used in the Netlogon authentication process and impersonate the identity of any computer when trying to authenticate against the domain controller.  From there, a variety of other attacks, including but not limited to disabling security features, changing passwords, and essentially taking over the domain are possible.  

The entire attack as demonstrated, is very fast, and can be executed in approximately 3 seconds, so it could be very dangerous.  In addition, Trend Micro is now aware of weaponized proof-of-concept code that has been made publicly available, meaning that real exploits could be close behind.
Details
Public

Mitigation and Protection


First and foremost, the first line of protection against this vulnerability is to ensure that all affected systems are patched with Microsoft's latest security update.  This continues to be the primary recommendation for protection against any exploit that that may arise from this vulnerability.

According to the research, there is one serious limitation to exploits of this vulnerability - specifically it cannot be exploited remotely.  An attacker will first need to gain access to the network domain via other means (legitimately or not).  So one major mitigation point would be to ensure that network access (both physical and remote) are carefully guarded.  However, if an attacker has obtained access to a network via another vulnerability or legitimately, this could become a powerful exploit.    
 

Trend Micro Protection


To assist customers, Trend Micro has created and released some additional layers of protection in the form of Deep Security and Cloud One - Workload Security IPS rules and TippingPoint filters that may help organizations strengthen their overall security posture, especially in situations where comprehensive patching may take time or is not feasible.

IPS Rules

Deep Security and Cloud One - Workload Security, Vulnerability Protection and Apex One Vulnerability Protection (iVP)
  • Rule 1010519 - Microsoft Windows Netlogon Elevation of Privilege Vulnerability (CVE-2020-1472)
  • Rule 1010521 - Microsoft Windows Netlogon Elevation of Privilege Vulnerability Over SMB (CVE-2020-1472)
Please note that both rules are already set to Prevent.

TippingPoint
  • Filter 38166:  MS-NRPC: Microsoft Windows Netlogon Zerologon Authentication Bypass Attempt
Please note that the posture on this filter has been changed to Enable by Default.

Trend Micro is continuing to aggressively look into other forms of detection and protection to assist our customers, but we do want to continue to reiterate that the primary recommendation is to apply the official Microsoft patches as soon as possible. We will continue to update this article and our customers if/when additional layers of protection are found.
 

References

Premium
Internal
Partner
Rating:
Category:
Remove a Malware / Virus; Update
Solution Id:
000270328
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.