CVE-2020-1472

Microsoft Netlogon Privilege Escalation Vulnerability

Severity Score

5.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

Yes

*KEV

Decision

Act

*SSVC

Descriptions

An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network.
To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access.
Microsoft is addressing the vulnerability in a phased two-part rollout. These updates address the vulnerability by modifying how Netlogon handles the usage of Netlogon secure channels.
For guidelines on how to manage the changes required for this vulnerability and more information on the phased rollout, see How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472 (updated September 28, 2020).
When the second phase of Windows updates become available in Q1 2021, customers will be notified via a revision to this security vulnerability. If you wish to be notified when these updates are released, we recommend that you register for the security notifications mailer to be alerted of content changes to this advisory. See Microsoft Technical Security Notifications.

Se presenta una vulnerabilidad de elevación de privilegios cuando un atacante establece una conexión de canal seguro Netlogon vulnerable hacia un controlador de dominio, usando el Netlogon Remote Protocol (MS-NRPC), también se conoce como "Netlogon Elevation of Privilege Vulnerability".

A flaw was found in the Microsoft Windows Netlogon Remote Protocol (MS-NRPC), where it reuses a known, static, zero-value initialization vector (IV) in AES-CFB8 mode. This flaw allows an unauthenticated attacker to impersonate a domain-joined computer, including a domain controller, and possibly obtain domain administrator privileges. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.

An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network. To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access. Microsoft is addressing the vulnerability in a phased two-part rollout. These updates address the vulnerability by modifying how Netlogon handles the usage of Netlogon secure channels. For guidelines on how to manage the changes required for this vulnerability and more information on the phased rollout, see How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472 (updated September 28, 2020). When the second phase of Windows updates become available in Q1 2021, customers will be notified via a revision to this security vulnerability. If you wish to be notified when these updates are released, we recommend that you register for the security notifications mailer to be alerted of content changes to this advisory. See Microsoft Technical Security Notifications.

Tom Tervoort discovered that the Netlogon protocol implemented by Samba incorrectly handled the authentication scheme. A remote attacker could use this issue to forge an authentication token and steal the credentials of the domain admin. This update fixes the issue by changing the "server schannel" setting to default to "yes", instead of "auto", which will force a secure netlogon channel. This may result in compatibility issues with older devices. A future update may allow a finer-grained control over this setting. Various other issues were also addressed.

Microsoft's Netlogon Remote Protocol (MS-NRPC) contains a privilege escalation vulnerability when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller. An attacker who successfully exploits the vulnerability could run a specially crafted application on a device on the network. The vulnerability is also known under the moniker of Zerologon.

*Credits: N/A

CVSS Scores

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Act

Exploitation

Active

Automatable

Yes

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2019-11-04 CVE Reserved
2020-08-06 First Exploit
2020-08-17 CVE Published
2020-09-21 KEV Due Date
2021-11-03 Exploited in Wild
2025-02-04 CVE Updated
2025-03-18 EPSS Updated

CWE

CWE-287: Improper Authentication
CWE-330: Use of Insufficiently Random Values

CAPEC

References (88)

URL	Tag	Source
http://packetstormsecurity.com/files/159190/Zerologon-Proof-Of-Concept.html	Third Party Advisory
http://www.openwall.com/lists/oss-security/2020/09/17/2	Mailing List
https://lists.debian.org/debian-lts-announce/2020/11/msg00041.html	Mailing List
https://www.kb.cert.org/vuls/id/490028	Third Party Advisory
https://www.synology.com/security/advisory/Synology_SA_20_21	Third Party Advisory

URL	Date	SRC
https://packetstorm.news/files/id/180777	2024-08-31
https://packetstorm.news/files/id/160127	2020-11-18
https://packetstorm.news/files/id/159190	2020-09-16
https://www.exploit-db.com/exploits/49071	2020-11-18
https://github.com/SecuraBV/CVE-2020-1472	2023-07-20
https://github.com/dirkjanm/CVE-2020-1472	2020-09-24
https://github.com/VoidSec/CVE-2020-1472	2020-11-05
https://github.com/k8gege/CVE-2020-1472-EXP	2020-09-15
https://github.com/cube0x0/CVE-2020-1472	2020-09-14
https://github.com/sv3nbeast/CVE-2020-1472	2022-12-03
https://github.com/thatonesecguy/zerologon-CVE-2020-1472	2020-09-16
https://github.com/CanciuCostin/CVE-2020-1472	2020-09-16
https://github.com/0xkami/CVE-2020-1472	2020-09-15
https://github.com/striveben/CVE-2020-1472	2020-09-26
https://github.com/murataydemir/CVE-2020-1472	2020-09-16
https://github.com/RicYaben/CVE-2020-1472-LAB	2024-02-11
https://github.com/NAXG/CVE-2020-1472	2020-09-16
https://github.com/Akash7350/CVE-2020-1472	2023-04-30
https://github.com/Whippet0/CVE-2020-1472	2020-11-17
https://github.com/jiushill/CVE-2020-1472	2020-09-15
https://github.com/Anonymous-Family/CVE-2020-1472	2022-03-03
https://github.com/grupooruss/CVE-2020-1472	2020-09-24
https://github.com/Fa1c0n35/CVE-2020-1472	2020-09-15
https://github.com/hectorgie/CVE-2020-1472	2020-09-15
https://github.com/itssmikefm/CVE-2020-1472	2021-04-22
https://github.com/npocmak/CVE-2020-1472	2020-09-16
https://github.com/b1ack0wl/CVE-2020-1472	2020-11-16
https://github.com/dr4g0n23/CVE-2020-1472	2022-11-25
https://github.com/puckiestyle/CVE-2020-1472	2020-09-17
https://github.com/t31m0/CVE-2020-1472	2020-09-15
https://github.com/victim10wq3/CVE-2020-1472	2020-09-16
https://github.com/SaharAttackit/CVE-2020-1472	2020-12-23
https://github.com/mingchen-script/CVE-2020-1472-visualizer	2020-11-05
https://github.com/Tobey123/CVE-2020-1472-visualizer	2020-08-06
https://github.com/risksense/zerologon	2024-12-02
https://github.com/bb00/zer0dump	2024-08-22
https://github.com/McKinnonIT/zabbix-template-CVE-2020-1472	2024-08-08
https://github.com/mstxq17/cve-2020-1472	2024-10-13
https://github.com/0xcccc666/cve-2020-1472_Tool-collection	2020-11-28
https://github.com/zeronetworks/zerologon	2024-10-21
https://github.com/midpipps/CVE-2020-1472-Easy	2023-02-08
https://github.com/johnpathe/zerologon-cve-2020-1472-notes	2020-10-19
https://github.com/WiIs0n/Zerologon_CVE-2020-1472	2024-02-28
https://github.com/Privia-Security/ADZero	2024-07-04
https://github.com/Ken-Abruzzi/cve-2020-1472	2020-09-30
https://github.com/rhymeswithmogul/Set-ZerologonMitigation	2020-10-13
https://github.com/shanfenglan/cve-2020-1472	2020-10-18
https://github.com/maikelnight/zerologon	2020-11-11
https://github.com/CPO-EH/CVE-2020-1472_ZeroLogonChecker	2023-03-07
https://github.com/JayP232/The_big_Zero	2020-12-04
https://github.com/wrathfulDiety/zerologon	2021-01-17
https://github.com/YossiSassi/ZeroLogon-Exploitation-Check	2023-09-19
https://github.com/sho-luv/zerologon	2023-11-07
https://github.com/hell-moon/ZeroLogon-Exploit	2022-10-08
https://github.com/Udyz/Zerologon	2024-08-12
https://github.com/B34MR/zeroscan	2024-03-17
https://github.com/TheJoyOfHacking/SecuraBV-CVE-2020-1472	2022-02-22
https://github.com/carlos55ml/zerologon	2022-03-29
https://github.com/Rvn0xsy/ZeroLogon	2024-08-12
https://github.com/guglia001/MassZeroLogon	2024-01-10
https://github.com/likeww/MassZeroLogon	2022-09-30
https://github.com/c3rrberu5/ZeroLogon-to-Shell	2023-08-14
https://github.com/logg-1/0logon	2024-01-07
https://github.com/whoami-chmod777/Zerologon-Attack-CVE-2020-1472-POC	2024-10-09
https://github.com/JolynNgSC/Zerologon_CVE-2020-1472	2024-03-21
https://github.com/blackh00d/zerologon-poc	2024-06-06
https://github.com/TuanCui22/ZerologonWithImpacket-CVE2020-1472	2024-12-28
https://github.com/PakwanSK/Simulating-and-preventing-Zerologon-CVE-2020-1472-vulnerability-attacks.	2025-03-07
http://packetstormsecurity.com/files/160127/Zerologon-Netlogon-Privilege-Escalation.html	2025-02-04

URL	Date	SRC
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472	2024-05-23
https://www.oracle.com/security-alerts/cpuApr2021.html	2024-05-23

URL	Date	SRC
http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00080.html	2024-05-23
http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00086.html	2024-05-23
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H4OTFBL6YDVFH2TBJFJIE4FMHPJEEJK3	2024-05-23
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ST6X3A2XXYMGD4INR26DQ4FP4QSM753B	2024-05-23
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TAPQQZZAT4TG3XVRTAFV2Y3S7OAHFBUP	2024-05-23
https://security.gentoo.org/glsa/202012-24	2024-05-23
https://usn.ubuntu.com/4510-1	2024-05-23
https://usn.ubuntu.com/4510-2	2024-05-23
https://usn.ubuntu.com/4559-1	2024-05-23
https://access.redhat.com/security/cve/CVE-2020-1472	2021-10-05
https://bugzilla.redhat.com/show_bug.cgi?id=1879822	2021-10-05
https://access.redhat.com/articles/5435971	2021-10-05

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Microsoft Search vendor "Microsoft"		Windows Server 1903 Search vendor "Microsoft" for product "Windows Server 1903"				*		-		Affected
Microsoft Search vendor "Microsoft"		Windows Server 1909 Search vendor "Microsoft" for product "Windows Server 1909"				*		-		Affected
Microsoft Search vendor "Microsoft"		Windows Server 2004 Search vendor "Microsoft" for product "Windows Server 2004"				-		-		Affected
Microsoft Search vendor "Microsoft"		Windows Server 2008 Search vendor "Microsoft" for product "Windows Server 2008"				r2 Search vendor "Microsoft" for product "Windows Server 2008" and version "r2"		sp1, x64		Affected
Microsoft Search vendor "Microsoft"		Windows Server 2012 Search vendor "Microsoft" for product "Windows Server 2012"				-		-		Affected
Microsoft Search vendor "Microsoft"		Windows Server 2012 Search vendor "Microsoft" for product "Windows Server 2012"				r2 Search vendor "Microsoft" for product "Windows Server 2012" and version "r2"		-		Affected
Microsoft Search vendor "Microsoft"		Windows Server 2016 Search vendor "Microsoft" for product "Windows Server 2016"				-		-		Affected
Microsoft Search vendor "Microsoft"		Windows Server 2019 Search vendor "Microsoft" for product "Windows Server 2019"				-		-		Affected
Microsoft Search vendor "Microsoft"		Windows Server 20h2 Search vendor "Microsoft" for product "Windows Server 20h2"				-		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				31 Search vendor "Fedoraproject" for product "Fedora" and version "31"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				32 Search vendor "Fedoraproject" for product "Fedora" and version "32"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				33 Search vendor "Fedoraproject" for product "Fedora" and version "33"		-		Affected
Opensuse Search vendor "Opensuse"		Leap Search vendor "Opensuse" for product "Leap"				15.1 Search vendor "Opensuse" for product "Leap" and version "15.1"		-		Affected
Opensuse Search vendor "Opensuse"		Leap Search vendor "Opensuse" for product "Leap"				15.2 Search vendor "Opensuse" for product "Leap" and version "15.2"		-		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				14.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "14.04"		esm		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				16.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "16.04"		esm		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				16.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "16.04"		lts		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				18.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "18.04"		lts		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				20.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "20.04"		lts		Affected
Synology Search vendor "Synology"		Directory Server Search vendor "Synology" for product "Directory Server"				< 4.4.5-0101 Search vendor "Synology" for product "Directory Server" and version " < 4.4.5-0101"		-		Affected
Samba Search vendor "Samba"		Samba Search vendor "Samba" for product "Samba"				< 4.10.18 Search vendor "Samba" for product "Samba" and version " < 4.10.18"		-		Affected
Samba Search vendor "Samba"		Samba Search vendor "Samba" for product "Samba"				>= 4.11.0 < 4.11.13 Search vendor "Samba" for product "Samba" and version " >= 4.11.0 < 4.11.13"		-		Affected
Samba Search vendor "Samba"		Samba Search vendor "Samba" for product "Samba"				>= 4.12.0 < 4.12.7 Search vendor "Samba" for product "Samba" and version " >= 4.12.0 < 4.12.7"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0"		-		Affected
Oracle Search vendor "Oracle"		Zfs Storage Appliance Kit Search vendor "Oracle" for product "Zfs Storage Appliance Kit"				8.8 Search vendor "Oracle" for product "Zfs Storage Appliance Kit" and version "8.8"		-		Affected