This post is also available in: 日本語 (Japanese)
Executive Summary
In August 2020, Microsoft released a security update, CVE-2020-1472 | Netlogon Elevation of Privilege Vulnerability, for a new elevation of privilege (EoP) vulnerability also known as "Zerologon." This vulnerability was given the highest Common Vulnerability Scoring System (CVSS) score of 10.0 and given a “critical” security rating from Microsoft.
This vulnerability exists within the Netlogon protocol. Exploitation of this vulnerability is possible due to a flaw in the implementation of the Netlogon protocol encryption, specifically AES-CFB8. The vulnerability is triggered by sending a string of zeros to the Netlogon protocol, hence its name, “Zerologon.” The flaw allows anyone on a network utilizing the Netlogon protocol to elevate their privileges to that of the domain administrator. This would allow an attacker access to the entire domain, opening up opportunities for further exploitation, data exfiltration, network disruption or whatever their objectives might be.
This vulnerability affects multiple Microsoft Windows Server operating systems.
Mitigation Actions for Zerologon
As always, we recommend our customers patch their systems as soon as possible. If you want to test your network for this vulnerability, you can use the Secura ZeroLogon testing script. Microsoft has provided a workaround to secure the Netlogon channel that is associated with this vulnerability by publishing guidance on how to manage the changes in Netlogon secure channel connections associated with the vulnerability.
Conclusion
The Palo Alto Networks Threat Prevention cloud-delivered security subscription provides protection against the exploitation of this vulnerability:
- Cortex XDR can block this exploit starting with Cortex agent 7.2.1 and content PTU-153 using Behavioral Threat Prevent Engine (BTP) rule: bioc.sync.zerologon_exploit_rpc.
- Next-Generation Firewalls will prevent exploitation of the vulnerability by detecting on the vulnerable Windows API (NetrServerAuthenticate3) with spoofed credentials. The relevant Threat ID is 59336.
Palo Alto Networks will update this Threat Brief with new information and recommendations as they become available.