The CVE-2020-1472 vulnerability in Windows Server, rated with a CVSS score of 10, can be closed using “Zerologon” be exploited. Users should update now.
For the penultimate Patch Tuesday in August 2020, Microsoft had, among other things, the vulnerability CVE-2020-1472 (CVSS- Maximum rating 10.0) in several Windows Server versions.
Now researchers have developed working exploit code for CVE-2020-1472. An attacker who is in the local (corporate) network could use it to log in as a domain administrator – without any prior knowledge of valid access data. Admins who have not yet installed the August updates should do so as soon as possible.
A list of the affected Windows Server versions and links to the updates can be found in Microsoft’s Security Advisory. In addition, Microsoft published a document with further information about the update on patch day, as this is part of an “initial deployment” and an “enforcement phase” was divided. Early import may require additional registry adjustments.
- CVE-2020-1472 | Netlogon Elevation of Privilege Vulnerability
- More information about the update process
Exploit code publicly available
Technical Details are revealed in a blog entry by the company Secura, which discovered CVE-2020-1472. According to this, the vulnerability is based on a cryptographic implementation error in the Netlogon Remote Protocol (MS-NRPC). An attacker could exploit it to arbitrarily change the password of the remote, vulnerable domain controller after establishing a connection.
Secura has published a detailed whitepaper on the “Zerologon” exploit – as well as a Zerologon Testing Script, with which domain controllers can be tested for their vulnerability. Secura deliberately chose not to publish proof-of-concept code. However, based on Secura’s preliminary work, several other researchers and companies have dedicated the last few hours to this task and published their code on GitHub. Thus, potential attackers would have sufficient ready-made tools at hand.