Donny Mark Ramdathsingh (DMR)
Senior Solutions Architect – CTTL
Sep 21st 2020
An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC), aka ‘Netlogon Elevation of Privilege Vulnerability’. Recall a few weeks ago we were talking along similar lines and it turns out Secura has actually released a blog covering in detail what is involved and its pretty intense. ZeroLogon is rated a 10/10 by the CVSS.
Ok so how does this really play out ?, essentially the vulnerability allows an attacker to become a Domain Admin with ONE CLICK, after landing within the environment.
I am oversimplifying but using a flaw in the cryptographic protocol used with Authenticity.
How should we respond ? you’re asking ? …. So the Patch is out and lucky for us this urgent directive has an immediate solution.
If you are already on top of your Patching, you should be fine, if your not, then IT’S CRITICAL you review and patch now.
This vulnerability is now known to the public so EVERYONE knows about this now and time is CRUCIAL.
CISA issued Emergency Directive 20-04, which instructs the Federal Civilian Executive Branch agencies to apply August 2020 security update
(CVE-2020-1472) for Microsoft’s Windows Servers to all domain controllers.
“While agencies are responsible for managing risk to their networks, CISA is responsible for safeguarding and securing the Federal enterprise. We do not issue emergency directives unless we have carefully and collaboratively assessed it to be necessary. Left unpatched, this vulnerability could allow attackers to compromise network identity services. We have directed agencies to implement the patch across their infrastructure by Monday, September 21, and given instructions for which of their many systems to prioritize.”
“Though this directive applies to Executive Branch agencies, we strongly urge our partners in State and local government, the private sector, and the American public to apply this security update as soon as possible. If enterprises cannot immediately apply the update, we urge them to remove relevant domain controllers from their networks. We have published an Activity Alert with information about our directive, as well as resources to help critical infrastructure protect their networks. We’d also like to acknowledge the efforts of our partners at Microsoft in working to ensure the security of their products.”
For More Information please contact us at firstname.lastname@example.org