Innova Solutions > Perspectives > Zerologon Vulnerability

CVE-2020-1472 "Zerologon" Vulnerability

The Zerologon vulnerability was recognized by Microsoft in August and a patch provided. Recently, an exploit for the vulnerability has made it into the wild. The attack is trivial in nature leaving a Windows Server 2019 Server Core domain controller vulnerable to a lowly Raspberry Pi Zero for exploit. Details on the nature of the attack method can be found on the SecuraBV website. It is critical that organizations that run Active Directory patch domain controllers as soon as possible. That being said, the patch comes with its own issues. Some legacy systems that are not using secure RPC for Netlogon and this patch will break their access to domain controllers.

The patch is actually two patches. One that was delivered in August and another that is scheduled for February 11, 2021. The first patch recognizes that the mitigation will break some clients. The August patch provides events to monitor for non-compliant devices and a group policy to allow non-compliant devices to continue to operate as they are remediated. Domain controllers can be placed into enforcement mode prior to February 2021 ensuring 100% mitigation from exploit based on Microsoft’s technical article. It is critical to patch and upgrade non-compliant devices as soon as possible. Microsoft provides details on the impact of the patch on their support website.

  • Microsoft lists the following changes instituted by the August patch
  • Enforces secure RPC usage for machine accounts on Windows based devices
  • Enforces secure RPC usage for trust accounts
  • Enforces secure RPC usage for all Windows and non-Windows DCs
  • Includes a new group policy to allow non-compliant device accounts (those that use vulnerable Netlogon secure channel connections). Even when DCs are running in enforcement mode or after the Enforcement phase starts, allowed devices will not be refused connection
  • FullSecureChannelProtection registry key to enable DC enforcement mode for all machine
    accounts (enforcement phase will update DCs to DC enforcement mode)
  • Includes new events when accounts are denied or would be denied in the DC enforcement mode
    (and will continue in the Enforcement phase)

Microsoft recommends that all domain controllers receive the August patch and monitor for the newly created events. The goal for the event monitoring is to identify clients that do not support or are not set to secure RPC for Netlogon. Systems that currently do not meet this standard will need to be whitelisted until remediation occurs.

If you are using Event Forwarding in your environment, the following Event Log Subscription will collect these events from domain controllers. Remember these events are only triggered after the August patch is applied.

Sample Event Log Subscription

  • Event ID 5827 will be logged when a vulnerable Netlogon secure channel connection from a machine account is denied.
  • Event ID 5828 will be logged when a vulnerable Netlogon secure channel connection from a trust account is denied
  • Event ID 5829 will only be logged during the Initial Deployment Phase, when a vulnerable Netlogon secure channel connection from a machine account is allowed
  • Event ID 5830 will be logged when a vulnerable Netlogon secure channel machine account connection is allowed by “Domain controller: Allow vulnerable Netlogon secure channel connections” group policy
  • Event ID 5831 will be logged when a vulnerable Netlogon secure channel trust account connection is allowed by “Domain controller: Allow vulnerable Netlogon secure channel connections” group policy

<?xml version="1.0"?>
<Subscription xmlns="http://schemas.microsoft.com/2006/03/windows/events/subscription">
<SubscriptionId>Zerologon Monitoring</SubscriptionId>
<SubscriptionType>SourceInitiated</SubscriptionType>
<Description>Records every time EventID 5827 through 5831 are triggered for
monitoring of CVE-2020-1472 events.</Description>
<Enabled>True</Enabled>
<Uri>http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog</Uri>
<ConfigurationMode>MinLatency</ConfigurationMode>
<Query><![CDATA[<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">
*[System[(EventID=5827 or EventID=5828 or EventID=5829 or EventID=5830 or EventID=5831)]]
</Select>
</Query>
</QueryList>]]>
</Query>
<ReadExistingEvents>true</ReadExistingEvents>
<TransportName>http</TransportName>
<ContentFormat>RenderedText\</ContentFormat>
<Locale Language="en-US"/>
<LogFile>ForwardedEvents</LogFile>
<AllowedSourceNonDomainComputers></AllowedSourceNonDomainComputers>
<AllowedSourceDomainComputers><span class="s2">O:NSG:NSD:(A;;GA;;;DD)
</AllowedSourceDomainComputers>
</Subscription>

Enforcement Phase

In February 2021, Microsoft will release the patch that will enforce secure RPC for Netlogon. Domain controllers will no longer allow vulnerable Netlogon secure channel connections from non-Windows devices. At this point, the group policy will be the only solution for legacy clients. All efforts should be made to identify, remediate, or apply policy to legacy clients to prevent outages in February 2021.

Domain Controller Testing

SercuraBV has provided Python code at their GitHub site to test a domain controller for CVE-2020-1472 exploitation. The currently released demo code for exploiting domain controllers uses the same method. While SecuraBV’s python code is public and there appears to be no nefarious code, using this test code in production without testing on non-production, test-lab domain controllers is not advised.

In the examples below, the provided test code as run from a Raspberry PI Zero W running Raspian Buster against a Windows Server 2019 Server Core domain controller.

Pre Patch

Prior to executing the test code against the domain controller, the operating system was patched up to July 2020. Within 10 seconds of running the python script, the domain controller was determined to be vulnerable. At this point, a nefarious actor is able to compromise the security of the domain controller and gain full control over the domain.

Post Patch

After applying the August patch, the test code consistently failed.

This is serious!

You have a dream?

We have a way to get you there.
Let’s connect and see how we help companies just like yours.