October 01, 2020 | By Michael Wainshtain Technical Team Leader

Summary

A new vulnerability was detected that can cause unwanted elevation of privileges, an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploits the vulnerability can run a specially crafted code on the affected domain controller. Please consider the following Detection, Mitigation, and Remediation Actions:

Exploitation

The exploitation of this vulnerability is possible due to a flaw in the implementation of the Netlogon protocol encryption, specifically AES-CFB8. In short, Due to incorrect use of an AES mode of operation, it is possible to spoof the identity of any computer account (including that of the DC itself) and set an empty password for that account in the domain. This process looks like a “brute force” attack against the AES challenge presented by the domain controller. The minimum number of tries observed is 22, and the maximum is under 2000.

In order to exploit the vulnerability, an attacker with a foothold on a device that exists in the network and has TCP access to a domain controller will run a specially crafted application in order to execute code on the domain controller without authentication.

Important notes

  1. This vulnerability does not require authentication and can be exploited from any device that has TCP network access to the domain. In our simulations, it took less than 3 minutes to execute code on a domain controller, dump user credentials, and take over the entire windows domain.
  2. POC’s of this exploit already exists ITW (in the wild), python, and PowerShell POC’s are the most commonly We were able to find a CVE-2020-1472 that performs a TEST to check if the DC is vulnerable.
  3. Microsoft has confirmed that real-world cyber-criminal activity is coalescing around the highly dangerous vulnerability and warned users who have not yet patched it to do so as a matter of extreme
  4. There is a newly discovered technique to exploit this vulnerability without resetting the domain controller computer account, this DOES require exploiting another bug in the print spooler. The print spooler service must be running on the Domain controller in order to exploit the vulnerability without resetting the Domain Controller computer account.

Detection & Mitigation

This security update addresses the vulnerability by enforcing secure RPC when using the net logon secure channel in a phased release explained in the Updates section.

To provide AD forest protection, all DCs, must be updated since they will enforce secure RPC with net logon secure channel. This includes read-only domain controllers (RODC).

TSOC MDR will provide alternative ways to monitor and mitigate the risk until the security update can be safely applied to Domain Controllers.

  1. Perform the necessary updates based on Microsoft KB (can be found below)
  2. Verify AV\EPP product installed on the DC has performed definition updates and has a relevant detection\blocking
  3. Verify that Network IPS\IDS protecting the DC has performed definition updates and has a relevant detection\blocking
  4. Monitor for existing event ID’s: 

Updates

Microsoft is addressing this vulnerability in a phased rollout.

  1. Phase 1: The initial deployment phase starts with the Windows updates released on August 11, The updates will enable the Domain Controllers (DCs) to protect Windows devices by default, log events for non-compliant device discovery, and have the option to enable protection for all domain-joined devices with explicit exceptions.

According to Microsoft advisory, the first phase will make the DC and connecting clients to work in Secure RCP (the vulnerability does not work with this flow), device that cannot communicate over Secure RPC will be granted access and will be logged:

These events should be addressed before the DC enforcement mode is configured or before the enforcement phase starts on February 9, 2021.

The affected organization will need to make sure all network devices (windows and other OS’) are updated to work with Secure RPC (when possible) or added to the GPO exception configuration to allow them to work in non-Secure RPC.

  1. Phase 2: Deploy February 9, 2021 updates (Q1 2021)

Deploying updates released February 9, 2021, or later will turn on DC enforcement mode. DC enforcement mode is when all Netlogon connections are either required to use secure RPC or the computer accounts must have been added to the “Domain controller: Allow vulnerable Netlogon secure channel connections” group policy.

Suggested Workflow

To protect your environment and prevent outages, you must do the following:

  1. UPDATE your Domain Controllers with an update released August 11, 2020, or
  2. FIND which devices are making vulnerable connections by monitoring event
  3. ADDRESS non-compliant devices making vulnerable
  4. ENABLE enforcement mode to address CVE-2020-1472 in your environment.

Final words

This is a critical vulnerability that needs to be addressed ASAP, we assume that this vulnerability will be used by a variety of adversaries to compromise Windows Server domain controllers. The ease and limitless approach of this exploit hold a great advantage for threat actors POV.

TSOC MDR highly recommends addressing this vulnerability and follow vendor recommendations to contain & mitigate the risk.

we will be glad to answer any questions or inquiries TSOC customers may have.

Microsoft advisory regarding CVE-2020-1472

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472

Links for security updates and workarounds:

https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel- connections-assoc

For more technical information about the vulnerability, see the following articles: https://support.microsoft.com/en-us/help/4557233/script-to-help-in-monitoring-event-ids-related-to-changes-in- netlogon

Visit our blog or Follow Us on Facebook Page for the latest news and insights on cybersecurity.

Stay Safe with TrustNet!