ZeroLogon – Last Minute Need to Know

Seeing as how its closing in on the end of January and February patch Tuesday is right around the corner, hopefully everyone is fully aware of what ZeroLogon or CVE-2020-1472 is. However here is the high level just encase you’re a little late to the game, no worries though there is still time. Back in August of 2020 MS released a patch to fix a vulnerability in Active Directory NetLogon Remote Protocol, more specifically the cryptographic algorithm which allows an attacker to impersonate any Windows endpoint on the network when authenticating to a DC(Domain Controller), disable security features on the NetLogon Process and change a computers password. End result is a reported sub 3 second full DC takeover, giving the attacker free reign on the domain, ability to dump credentials and pivot latterly as desired.

Potential impact to the business is massive, CVSS scored this vuln a 10/10 which is not an understatement. With current working proof of concepts readily available on GitHub, and reports of CVE-2020-1472 exploits being tracked in the wild as early as last October, if you have not applied August patches to DCs yet, Drop everything and do it now!

Affected Server Versions:
Windows Server version 1903, 1909, 2004
Windows Server 2019
Windows Server 2016
Windows Server 2012, 2012 R2
Windows Server 2008, 2008 R2
Windows Server 2003, 2003 R2

The Domain Controller patch released in August 2020 must be installed on all DCs as well as Read Only Domain Controllers (RODCs). After the patch is installed DCs will begin enforcing secure RPC usage for all Windows device accounts and other DC communication. CVE and MS patch KB info can be found here:

The screenshot above was taken from:

August DC patch fixed the vuln on domain controllers, however to fully patch the issue MS will release another patch in February 2021 which will set secure connection enforcement for any client connecting to a DC. There is potential for breakage on older non compliant devices so it is essential to monitor logs for clients attempting to make insecure connections. Luckily with the August update MS implemented a few new Windows Event IDs to assist in Step 2 above: “FIND which devices are making vulnerable connections”, IDs, 5827 through 5831.

Event ID: 5827 (machine account error) and 5828 (Trust Account Error) – Events logged when connection is denied because vulnerable NetLogon secure channel was attempted

Event ID: 5830 (Machine Account Warning) and 5831 (Trust Account Warning) – logged when a connection is allowed because account as added to “DC Allow Vuln NetLogon Connection Group Policy (addressed later)

Event ID: 5829 (Detection of non-copmpliant devices) – Devices using vulnerable NetLogon secure channel connections will log an ID 5829, the event will include information for identifying which client sent the request. These are the clients you MUST investigate to as enforcement in February will DENY these connections.

If you do have that third party device throwing Event IDs 5829 and do not have the option to upgrade or mitigate in another way there is an option via Group Policy to allow that client to make insecure vulnerable NetLogon connections. Never recommended to go this route however if the absolute requirement is there, it is an option.

Enforcement mode goes in to effect Patch Tuesday February 9 2021 so there is still time to find those outlier trouble systems and mitigate before connections are denied and stuff breaks. Set up SIEM alerts on event IDs and be ready to take action when a vulnerable client is identified

For a great article on how to exploit CVE-2020-1472 check out: by Andy Gill – ZeroSec

1/23/2021 – Weister Creek InfoSec

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: