[German]Security researchers have uncovered a vulnerability in all versions of Windows Server that allows domain transfer with a simple approach. This vulnerability, called Zerologon (CVE-2020-1472), was closed with the security updates of August 2020. Those who have not yet installed this patch should react as soon as possible.
I had read it on Twitter yesterday and this German comment here in the blog somebody mentioned the so-called Zerologon vulnerability (CVE-2020-1472), which allows a domain takeover. Tenable has summarized it here.
Zerologon vulnerability (CVE-2020-1472)
On September 11, Secura researchers published a blog post on the critical Zerologon vulnerability. The blog post includes a white paper explaining the full impact and execution of the vulnerability identified as CVE-2020-1472. The vulnerability received a CVSSv3 rating of 10.0 (highest score).
CVE-2020-1472 is a Privilege Escalation vulnerability that is made possible by the insecure use of AES-CFB8 encryption for Netlogon sessions. The AES-CFB8 standard requires that each byte of clear text, such as a password, must have a randomized initialization vector (IV) to prevent passwords from being guessed. The ComputeNetlogonCredential function in Netlogon sets the IV to fixed 16 bits, which means that an attacker could control the decoded text.
An attacker could exploit this vulnerability to spoof the identity of any machine on a network when attempting to authenticate to the Domain Controller (DC). Further attacks are then possible, including the complete takeover of a Windows domain. The Securas white paper also points out that an attacker would be able to simply run the Impacket “secretsdump” script to obtain a list of user hashes from a target DC. Someone on GitHub has now published a Proof of Concept (PoC) here and Bleeping Computer has covered it within this article.
Patch from August 2020 closes CVE-2020-1472
The Zerologon vulnerability has been patched by Microsoft with the August 2020 security updates (see also link list at the end of this article). A reference to this patch from Tenable can be found in this Tenable article. Administrators should quickly install the relevant update. Here in the blog I had pointed out the implications of this update in the following two blog posts: