Windows Server: Zerologon vulnerability (CVE-2020-1472) allows domain hijacking

[German]Security researchers have uncovered a vulnerability in all versions of Windows Server that allows domain transfer with a simple approach. This vulnerability, called Zerologon (CVE-2020-1472), was closed with the security updates of August 2020. Those who have not yet installed this patch should react as soon as possible.


I had read it on Twitter yesterday and this German comment here in the blog somebody mentioned the so-called Zerologon vulnerability (CVE-2020-1472), which allows a domain takeover. Tenable has summarized it here

Zerologon vulnerability (CVE-2020-1472)

On September 11, Secura researchers published a blog post on the critical Zerologon vulnerability. The blog post includes a white paper explaining the full impact and execution of the vulnerability identified as CVE-2020-1472. The vulnerability received a CVSSv3 rating of 10.0 (highest score).

CVE-2020-1472 is a Privilege Escalation vulnerability that is made possible by the insecure use of AES-CFB8 encryption for Netlogon sessions. The AES-CFB8 standard requires that each byte of clear text, such as a password, must have a randomized initialization vector (IV) to prevent passwords from being guessed. The ComputeNetlogonCredential function in Netlogon sets the IV to fixed 16 bits, which means that an attacker could control the decoded text.

An attacker could exploit this vulnerability to spoof the identity of any machine on a network when attempting to authenticate to the Domain Controller (DC). Further attacks are then possible, including the complete takeover of a Windows domain. The Securas white paper also points out that an attacker would be able to simply run the Impacket "secretsdump" script to obtain a list of user hashes from a target DC. Someone on GitHub has now published a Proof of Concept (PoC) here and Bleeping Computer has covered it within this article.

Patch from August 2020 closes CVE-2020-1472

The Zerologon vulnerability has been patched by Microsoft with the August 2020 security updates (see also link list at the end of this article). A reference to this patch from Tenable can be found in this Tenable article. Administrators should quickly install the relevant update. Here in the blog I had pointed out the implications of this update in the following two blog posts:


Windows Domain Controller suddenly generate EventID 5829 warnings (August 11, 2020)
Windows 10 V1607: Update KB4571694 creates ID 5827 events, bricks MMC

Similar articles:
Patchday: Windows 10-Updates (August 11, 2020)
Patchday: Windows 8.1/Server 2012-Updates (August 11, 2020)
Patchday: Updates for Windows 7/Server 2008 R2 (August 11, 2020)

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security, Update, Windows and tagged , , . Bookmark the permalink.

One Response to Windows Server: Zerologon vulnerability (CVE-2020-1472) allows domain hijacking

  1. Markus Huber says:

    Does anyone know a good cloud based Patching and security solution. We recently found, which looks great. Does anyone have experience with it

Leave a Reply

Your email address will not be published. Required fields are marked *