CVE-2020-1472
📋 TL;DR
CVE-2020-1472 (Zerologon) is a critical authentication bypass vulnerability in Microsoft's Netlogon protocol that allows unauthenticated attackers to gain domain administrator privileges. It affects Windows domain controllers running vulnerable versions. Attackers can exploit this to completely compromise Active Directory domains.
💻 Affected Systems
- Windows Server
📦 What is this software?
Fedora by Fedoraproject
Fedora by Fedoraproject
Fedora by Fedoraproject
Leap by Opensuse
Leap by Opensuse
Samba by Samba
Samba by Samba
Samba by Samba
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
⚠️ Risk & Real-World Impact
Worst Case
Complete domain compromise with attacker gaining domain administrator privileges, allowing them to create new accounts, modify existing accounts, steal credentials, and deploy malware across the entire domain.
Likely Case
Attackers gain domain administrator access and establish persistence in the network, leading to data theft, ransomware deployment, or lateral movement across the entire organization.
If Mitigated
With proper patching and enforcement mode enabled, the vulnerability is completely mitigated with no impact.
🎯 Exploit Status
Multiple public proof-of-concept exploits are available, and the vulnerability has been actively exploited in the wild. Exploitation requires no authentication and can be automated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: August 2020 security updates and later
Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472
Restart Required: Yes
Instructions:
1. Apply August 2020 or later security updates to all domain controllers. 2. Enable enforcement mode via registry key or group policy. 3. Monitor for non-compliant devices and remediate. 4. Complete the phased rollout as described in Microsoft's guidance.
🔧 Temporary Workarounds
Enable Netlogon secure channel enforcement
windowsEnforces secure RPC usage for Netlogon to prevent exploitation
reg add "HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" /v FullSecureChannelProtection /t REG_DWORD /d 1 /f
🧯 If You Can't Patch
- Segment network to restrict access to domain controllers from untrusted networks
- Implement strict network monitoring for Netlogon protocol anomalies and failed authentication attempts
🔍 How to Verify
Check if Vulnerable:
Use the official Microsoft Zerologon detection script or third-party tools like Mimikatz's zerologon_tester to test domain controllersCheck Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Check that August 2020 or later updates are installed and verify FullSecureChannelProtection registry value is set to 1📡 Detection & Monitoring
Log Indicators:
- Event ID 5829 in Netlogon logs indicating secure channel failures
- Multiple failed Netlogon authentication attempts from single source
- Unexpected domain controller password changes
Network Indicators:
- Unencrypted Netlogon RPC traffic to domain controllers
- Suspicious Netlogon protocol sequences from non-domain joined systems
SIEM Query:
source="*security*" event_id=5829 OR (source="*netlogon*" AND "secure channel")🔗 References
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00080.html
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00086.html
- http://packetstormsecurity.com/files/159190/Zerologon-Proof-Of-Concept.html
- http://packetstormsecurity.com/files/160127/Zerologon-Netlogon-Privilege-Escalation.html
- http://www.openwall.com/lists/oss-security/2020/09/17/2
- https://lists.debian.org/debian-lts-announce/2020/11/msg00041.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H4OTFBL6YDVFH2TBJFJIE4FMHPJEEJK3/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ST6X3A2XXYMGD4INR26DQ4FP4QSM753B/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TAPQQZZAT4TG3XVRTAFV2Y3S7OAHFBUP/
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472
- https://security.gentoo.org/glsa/202012-24
- https://usn.ubuntu.com/4510-1/
- https://usn.ubuntu.com/4510-2/
- https://usn.ubuntu.com/4559-1/
- https://www.kb.cert.org/vuls/id/490028
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.synology.com/security/advisory/Synology_SA_20_21
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00080.html
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00086.html
- http://packetstormsecurity.com/files/159190/Zerologon-Proof-Of-Concept.html
- http://packetstormsecurity.com/files/160127/Zerologon-Netlogon-Privilege-Escalation.html
- http://www.openwall.com/lists/oss-security/2020/09/17/2
- https://lists.debian.org/debian-lts-announce/2020/11/msg00041.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H4OTFBL6YDVFH2TBJFJIE4FMHPJEEJK3/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ST6X3A2XXYMGD4INR26DQ4FP4QSM753B/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TAPQQZZAT4TG3XVRTAFV2Y3S7OAHFBUP/
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472
- https://security.gentoo.org/glsa/202012-24
- https://usn.ubuntu.com/4510-1/
- https://usn.ubuntu.com/4510-2/
- https://usn.ubuntu.com/4559-1/
- https://www.kb.cert.org/vuls/id/490028
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.synology.com/security/advisory/Synology_SA_20_21
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-1472
