CVE-2020-1472

Microsoft Netlogon Privilege Escalation Vulnerability

Severity Score

5.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

Yes

*KEV

Decision

*SSVC

Descriptions

An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network.
To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access.
Microsoft is addressing the vulnerability in a phased two-part rollout. These updates address the vulnerability by modifying how Netlogon handles the usage of Netlogon secure channels.
For guidelines on how to manage the changes required for this vulnerability and more information on the phased rollout, see How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472 (updated September 28, 2020).
When the second phase of Windows updates become available in Q1 2021, customers will be notified via a revision to this security vulnerability. If you wish to be notified when these updates are released, we recommend that you register for the security notifications mailer to be alerted of content changes to this advisory. See Microsoft Technical Security Notifications.

Se presenta una vulnerabilidad de elevación de privilegios cuando un atacante establece una conexión de canal seguro Netlogon vulnerable hacia un controlador de dominio, usando el Netlogon Remote Protocol (MS-NRPC), también se conoce como "Netlogon Elevation of Privilege Vulnerability".

A flaw was found in the Microsoft Windows Netlogon Remote Protocol (MS-NRPC), where it reuses a known, static, zero-value initialization vector (IV) in AES-CFB8 mode. This flaw allows an unauthenticated attacker to impersonate a domain-joined computer, including a domain controller, and possibly obtain domain administrator
privileges. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.

Microsoft's Netlogon Remote Protocol (MS-NRPC) contains a privilege escalation vulnerability when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller. An attacker who successfully exploits the vulnerability could run a specially crafted application on a device on the network. The vulnerability is also known under the moniker of Zerologon.

*Credits: N/A

CVSS Scores

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2019-11-04 CVE Reserved
2020-08-06 First Exploit
2020-08-17 CVE Published
2020-09-21 KEV Due Date
2021-11-03 Exploited in Wild
2024-08-04 CVE Updated
2024-09-10 EPSS Updated

CWE

CWE-287: Improper Authentication
CWE-330: Use of Insufficiently Random Values

CAPEC

References (50)

URL	Tag	Source
http://packetstormsecurity.com/files/159190/Zerologon-Proof-Of-Concept.html	Third Party Advisory
http://www.openwall.com/lists/oss-security/2020/09/17/2	Mailing List
https://lists.debian.org/debian-lts-announce/2020/11/msg00041.html	Mailing List
https://www.kb.cert.org/vuls/id/490028	Third Party Advisory
https://www.synology.com/security/advisory/Synology_SA_20_21	Third Party Advisory

URL	Date	SRC
https://www.exploit-db.com/exploits/49071	2020-11-18
https://github.com/SecuraBV/CVE-2020-1472	2023-07-20
https://github.com/dirkjanm/CVE-2020-1472	2020-09-24
https://github.com/VoidSec/CVE-2020-1472	2020-11-05
https://github.com/k8gege/CVE-2020-1472-EXP	2020-09-15
https://github.com/cube0x0/CVE-2020-1472	2020-09-14
https://github.com/sv3nbeast/CVE-2020-1472	2022-12-03
https://github.com/thatonesecguy/zerologon-CVE-2020-1472	2020-09-16
https://github.com/CanciuCostin/CVE-2020-1472	2020-09-16
https://github.com/0xkami/CVE-2020-1472	2020-09-15
https://github.com/striveben/CVE-2020-1472	2020-09-26
https://github.com/murataydemir/CVE-2020-1472	2020-09-16
https://github.com/RicYaben/CVE-2020-1472-LAB	2024-02-11
https://github.com/NAXG/CVE-2020-1472	2020-09-16
https://github.com/Akash7350/CVE-2020-1472	2023-04-30
https://github.com/Whippet0/CVE-2020-1472	2020-11-17
https://github.com/jiushill/CVE-2020-1472	2020-09-15
https://github.com/Anonymous-Family/CVE-2020-1472	2022-03-03
https://github.com/grupooruss/CVE-2020-1472	2020-09-24
https://github.com/Fa1c0n35/CVE-2020-1472	2020-09-15
https://github.com/hectorgie/CVE-2020-1472	2020-09-15
https://github.com/itssmikefm/CVE-2020-1472	2021-04-22
https://github.com/npocmak/CVE-2020-1472	2020-09-16
https://github.com/b1ack0wl/CVE-2020-1472	2020-11-16
https://github.com/dr4g0n23/CVE-2020-1472	2022-11-25
https://github.com/puckiestyle/CVE-2020-1472	2020-09-17
https://github.com/t31m0/CVE-2020-1472	2020-09-15
https://github.com/victim10wq3/CVE-2020-1472	2020-09-16
https://github.com/SaharAttackit/CVE-2020-1472	2020-12-23
https://github.com/mingchen-script/CVE-2020-1472-visualizer	2020-11-05
https://github.com/Tobey123/CVE-2020-1472-visualizer	2020-08-06
http://packetstormsecurity.com/files/160127/Zerologon-Netlogon-Privilege-Escalation.html	2024-08-04

URL	Date	SRC
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472	2024-05-23
https://www.oracle.com/security-alerts/cpuApr2021.html	2024-05-23

URL	Date	SRC
http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00080.html	2024-05-23
http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00086.html	2024-05-23
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H4OTFBL6YDVFH2TBJFJIE4FMHPJEEJK3	2024-05-23
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ST6X3A2XXYMGD4INR26DQ4FP4QSM753B	2024-05-23
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TAPQQZZAT4TG3XVRTAFV2Y3S7OAHFBUP	2024-05-23
https://security.gentoo.org/glsa/202012-24	2024-05-23
https://usn.ubuntu.com/4510-1	2024-05-23
https://usn.ubuntu.com/4510-2	2024-05-23
https://usn.ubuntu.com/4559-1	2024-05-23
https://access.redhat.com/security/cve/CVE-2020-1472	2021-10-05
https://bugzilla.redhat.com/show_bug.cgi?id=1879822	2021-10-05

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Microsoft Search vendor "Microsoft"		Windows Server 1903 Search vendor "Microsoft" for product "Windows Server 1903"				*		-		Affected
Microsoft Search vendor "Microsoft"		Windows Server 1909 Search vendor "Microsoft" for product "Windows Server 1909"				*		-		Affected
Microsoft Search vendor "Microsoft"		Windows Server 2004 Search vendor "Microsoft" for product "Windows Server 2004"				-		-		Affected
Microsoft Search vendor "Microsoft"		Windows Server 2008 Search vendor "Microsoft" for product "Windows Server 2008"				r2 Search vendor "Microsoft" for product "Windows Server 2008" and version "r2"		sp1, x64		Affected
Microsoft Search vendor "Microsoft"		Windows Server 2012 Search vendor "Microsoft" for product "Windows Server 2012"				-		-		Affected
Microsoft Search vendor "Microsoft"		Windows Server 2012 Search vendor "Microsoft" for product "Windows Server 2012"				r2 Search vendor "Microsoft" for product "Windows Server 2012" and version "r2"		-		Affected
Microsoft Search vendor "Microsoft"		Windows Server 2016 Search vendor "Microsoft" for product "Windows Server 2016"				-		-		Affected
Microsoft Search vendor "Microsoft"		Windows Server 2019 Search vendor "Microsoft" for product "Windows Server 2019"				-		-		Affected
Microsoft Search vendor "Microsoft"		Windows Server 20h2 Search vendor "Microsoft" for product "Windows Server 20h2"				-		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				31 Search vendor "Fedoraproject" for product "Fedora" and version "31"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				32 Search vendor "Fedoraproject" for product "Fedora" and version "32"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				33 Search vendor "Fedoraproject" for product "Fedora" and version "33"		-		Affected
Opensuse Search vendor "Opensuse"		Leap Search vendor "Opensuse" for product "Leap"				15.1 Search vendor "Opensuse" for product "Leap" and version "15.1"		-		Affected
Opensuse Search vendor "Opensuse"		Leap Search vendor "Opensuse" for product "Leap"				15.2 Search vendor "Opensuse" for product "Leap" and version "15.2"		-		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				14.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "14.04"		esm		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				16.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "16.04"		esm		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				16.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "16.04"		lts		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				18.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "18.04"		lts		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				20.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "20.04"		lts		Affected
Synology Search vendor "Synology"		Directory Server Search vendor "Synology" for product "Directory Server"				< 4.4.5-0101 Search vendor "Synology" for product "Directory Server" and version " < 4.4.5-0101"		-		Affected
Samba Search vendor "Samba"		Samba Search vendor "Samba" for product "Samba"				< 4.10.18 Search vendor "Samba" for product "Samba" and version " < 4.10.18"		-		Affected
Samba Search vendor "Samba"		Samba Search vendor "Samba" for product "Samba"				>= 4.11.0 < 4.11.13 Search vendor "Samba" for product "Samba" and version " >= 4.11.0 < 4.11.13"		-		Affected
Samba Search vendor "Samba"		Samba Search vendor "Samba" for product "Samba"				>= 4.12.0 < 4.12.7 Search vendor "Samba" for product "Samba" and version " >= 4.12.0 < 4.12.7"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0"		-		Affected
Oracle Search vendor "Oracle"		Zfs Storage Appliance Kit Search vendor "Oracle" for product "Zfs Storage Appliance Kit"				8.8 Search vendor "Oracle" for product "Zfs Storage Appliance Kit" and version "8.8"		-		Affected