[German]A brief reminder for administrators of Windows Server systems running as domain controllers. From February 9, 2021, the so-called enforcement mode for closing the Netlogon vulnerability will become mandatory – Microsoft will then roll out the relevant update. Update: Microsoft mentioned a 2nd date March 9, 2021 for Enforcement mode – see addendum below.
Advertising
The Netlogon vulnerability CVE-2020-147
There is a critical vulnerability CVE-2020-1472 in the Windows Netlogon protocol, which I had reported several times in the blog (see links at the end of the article). The Zerologon vulnerability (CVE-2020-1472) is a privilege escalation vulnerability due to the insecure use of AES-CFB8 encryption for Netlogon sessions. The vulnerability allows Active Directory domain controllers (DC) to be hijacked – even remotely if the domain controller is accessible via network/Internet – by unauthorized attackers.
Microsoft is taking a two-step approach to closing the vulnerability (see also support post KB4557222). The August 11, 2020 security update (see the list of links at the end of the article) initiated the first stage of hardening. In February 2021, the second stage to close the vulnerability will be made available. This stage will then make the so-called enforcement mode mandatory.
Microsoft had already published the blog post Netlogon Domain Controller Enforcement Mode is enabled by default beginning with the February 9, 2021 Security Update, related to CVE-2020-1472 about this on January 14, 2021. I'm pulling up the process again in case this has passed DC admins by. Not that next Tuesday, after applying the February 2021 patches, comes the big awakening because machines can no longer contact the domain controller.
Update: A German blog reader pointed me to the Microsoft article Managing deployment of RBCD/Protected User changes for CVE-2020-16996, that says, the date for the enforced enforcement mode has been moved to March 9, 2021 (patchday). The first MS blog post linked above does not contains that information. But a detailled look into both articles reveals, that Microsoft is talking about two vulnerabilities CVE-2020-16996 and CVE-2020-1472 that will be mitigated by an enforement mode. So we will have to actions from February and March patchday.
Similar articles
0patch fixes Zerologon (CVE-2020-1472) vulnerability in Windows Server 2008 R2
Windows Domain Controller suddenly generate EventID 5829 warnings (August 11, 2020)
Windows Server: Zerologon vulnerability (CVE-2020-1472) allows domain hijacking
Windows 10 V1607: Update KB4571694 creates ID 5827 events, bricks MMC
CISA Warning: Patch your Windows Servers against CVE-2020-1472 (Zerologon)
Zerologon Exploits are used in the wild, patching (Windows Server, Samba) recommended
Microsoft specifies patching of the Netlogon vulnerability (CVE-2020-1472)
Advertising
Anyone know if the date is 9th Feb or March?
I've found that we are not getting any alerts from the DC's about insecure servers even though we have had cumulative updates each month since August 2020 and have a couple of 2003 & 2008 sitting idle.