CISA Warning: Patch your Windows Servers against CVE-2020-1472 (Zerologon)

[German]The United States Agency for Cyber Security and Infrastructure Security (CISA) has issued an emergency order giving the U.S. government agencies a four-day deadline to implement a Windows Server patch against the Zerologon vulnerability (CVE-2020-1472).


Zerologon vulnerability (CVE-2020-1472)

The background to the CISA statement is the knowledge, that the Zerologon vulnerability (CVE-2020-1472) allows Active Directory Domain Controllers (DC) to be overtaken and that there is a publicly available exploit for the vulnerability. CVE-2020-1472 is a Privilege Escalation Vulnerability that is made possible by the insecure use of AES-CFB8 encryption for Netlogon sessions. See also my blog post Windows Server: Zerologon vulnerability (CVE-2020-1472) allows domain hijacking. CISA writes about it:

CISA has determined that this vulnerability poses an unacceptable risk to the Federal Civilian Executive Branch and requires an immediate and emergency action. This determination is based on the following:

  • the availability of the exploit code in the wild increasing likelihood of any unpatched domain controller being exploited;
  • the widespread presence of the affected domain controllers across the federal enterprise;
  • the high potential for a compromise of agency information systems;
  • the grave impact of a successful compromise; and
  • the continued presence of the vulnerability more than 30 days since the update was released.

CISA requires agencies to immediately apply the Windows Server August 2020 security update to all domain controllers.

This is a clear directive, so CISA sees an acute danger that the U.S. federal government systems will be attacked and taken over. Therefore, administrators in German-speaking countries should also become active if domain controllers based on Windows Server have not yet been secured in this regard.

Microsoft patch available since August 2020

The vulnerability is closed by Microsoft in two stages, as can be read in the support article KB4557222. With the security update of August 11, 2020 (see link list at the end of the article) the first stage of protection was initiated. So for the supported Windows Server variants a protection is possible. For Windows Server 2008 R2, however, the patch is only available for customers who have purchased the Microsoft ESU program for a fee (is virtually impossible without a volume license agreement). If you didn't get a patch for Windows Server 2008 R2, I refer you to the alternative solution of 0patch (see 0patch fixes Zerologon (CVE-2020-1472) vulnerability in Windows Server 2008 R2). (via)

Similar articles:
Patchday: Windows 10-Updates (August 11, 2020)
Patchday: Windows 8.1/Server 2012-Updates (August 11, 2020)
Patchday: Updates for Windows 7/Server 2008 R2 (August 11, 2020)
0patch fixes Zerologon (CVE-2020-1472) vulnerability in Windows Server 2008 R2
Windows Domain Controller suddenly generate EventID 5829 warnings (August 11, 2020)
Windows Server: Zerologon vulnerability (CVE-2020-1472) allows domain hijacking
Windows 10 V1607: Update KB4571694 creates ID 5827 events, bricks MMC

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security, Update, Windows and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *