{"id":16133,"date":"2020-09-30T00:23:51","date_gmt":"2020-09-29T22:23:51","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=16133"},"modified":"2020-09-30T00:23:51","modified_gmt":"2020-09-29T22:23:51","slug":"microsoft-specifies-patching-of-the-netlogon-vulnerability-cve-2020-1472","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2020\/09\/30\/microsoft-specifies-patching-of-the-netlogon-vulnerability-cve-2020-1472\/","title":{"rendered":"Microsoft specifies patching of the Netlogon vulnerability (CVE-2020-1472)"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline\" src=\"https:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2015\/01\/Schutz.jpg\" width=\"40\" align=\"left\" height=\"47\">[<a href=\"https:\/\/www.borncity.com\/blog\/2020\/09\/30\/microsoft-przisiert-das-patchen-der-netlogon-schwachstelle-cve-2020-1472\/\" target=\"_blank\" rel=\"noopener noreferrer\">German<\/a>]Microsoft has revised and clarified its guidance on how to close the Netlogon vulnerability in Windows Server installations that act as domain controllers. This is in response to feedback from users who were confused by previous support posts.<\/p>\n<p><!--more--><\/p>\n<h2>The vulnerability, updates and uncertainties<\/h2>\n<p><img loading=\"lazy\" decoding=\"async\" alt=\"\" src=\"https:\/\/vg07.met.vgwort.de\/na\/86e59d8a5181482bbca02feb729e459e\" width=\"1\" height=\"1\">I had reported about the Netlogon vulnerability in Windows Server several times in the blog (see links at the end of the article). The Zerologon vulnerability (CVE-2020-1472) is a privilege escalation vulnerability due to the insecure use of AES-CFB8 encryption for Netlogon sessions. The vulnerability allows unauthorized attackers to take over Active Directory domain controllers (DC), even remotely if the domain controller is accessible via network\/internet.<\/p>\n<p>I had addressed this within the blog post: <a href=\"https:\/\/borncity.com\/win\/2020\/09\/16\/windows-server-zerologon-sicherheitslcke-cve-2020-1472-erlaubt-domain-bernahme\/\">Windows Server: Zerologon vulnerability (CVE-2020-1472) allows domain hijacking<\/a>. Microsoft had released security updates on August 11, 2020 to mitigate the vulnerability. Since the vulnerability is under attack, Microsoft requested patching (see <a href=\"https:\/\/borncity.com\/win\/2020\/09\/24\/zerologon-exploits-werden-ausgenutzt-patchen-windows-server-samba-ist-angesagt\/\">Zerologon Exploits are used in the wild, patching (Windows Server, Samba) recommended<\/a>). <\/p>\n<p>Microsoft is closing the vulnerability in two stages, as can be read in the support article <a href=\"https:\/\/support.microsoft.com\/help\/4557222\/\">KB4557222<\/a>.&nbsp; With the security update of August 11, 2020 (see link list at the end of the article) the first stage of protection was initiated. In February 2021, the second stage to close the vulnerability will be released.&nbsp; <\/p>\n<h2>Microsoft specifies the steps to secure your servers<\/h2>\n<p>But the knowledge base article <a href=\"https:\/\/support.microsoft.com\/help\/4557222\/\">KB4557222<\/a>&nbsp; has not only provoked questions here in the blog. Microsoft probably received many questions from unsettled customers and had to react. The colleagues from Bleeping Computer <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/microsoft-clarifies-patch-confusion-for-windows-zerologon-flaw\/\" target=\"_blank\" rel=\"noopener noreferrer\">noticed<\/a> that Microsoft has added the following specification of the procedure in the English version of the support article <a href=\"https:\/\/support.microsoft.com\/help\/4557222\/\">KB4557222<\/a>. <\/p>\n<blockquote>\n<p>Take Action  <\/p>\n<p>To protect your environment and prevent outages, you must do the following:  <\/p>\n<ol>\n<li><a href=\"https:\/\/support.microsoft.com\/en-us\/help\/4557222\/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc#Updates%20section\" target=\"_blank\" rel=\"noopener noreferrer\">UPDATE<\/a> your Domain Controllers with an update released August 11, 2020 or later.\n<li><a href=\"https:\/\/support.microsoft.com\/en-us\/help\/4557222\/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc#DetectingNon-compliant\" target=\"_blank\" rel=\"noopener noreferrer\">FIND<\/a> which devices are making vulnerable connections by monitoring event logs.\n<li><a href=\"https:\/\/support.microsoft.com\/en-us\/help\/4557222\/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc#AddressingEventIDs\" target=\"_blank\" rel=\"noopener noreferrer\">ADDRESS<\/a> non-compliant devices making vulnerable connections.\n<li><a href=\"https:\/\/support.microsoft.com\/en-us\/help\/4557222\/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc#EnablingEnforcementMode\" target=\"_blank\" rel=\"noopener noreferrer\">ENABLE<\/a> enforcement mode to address <a href=\"https:\/\/portal.msrc.microsoft.com\/en-US\/security-guidance\/advisory\/CVE-2020-1472\" target=\"_blank\" rel=\"noopener noreferrer\">CVE-2020-1472<\/a> in your environment.<\/li>\n<\/ol>\n<p><strong>Note <\/strong>Step 1 of installing updates released August 11, 2020 or later will address security issue in <a href=\"https:\/\/portal.msrc.microsoft.com\/en-US\/security-guidance\/advisory\/CVE-2020-1472\" target=\"_blank\" rel=\"noopener noreferrer\">CVE-2020-1472<\/a> for Active Directory domains and trusts, as well as Windows devices. To fully mitigate the security issue for third-party devices, you will need to complete all the steps.  <\/p>\n<p><strong>Warning <\/strong>Starting February 2021, enforcement mode will be enabled on all Windows Domain Controllers and will block vulnerable connections from non-compliant devices.&nbsp; At that time, you will not be able to disable enforcement mode.<\/p>\n<\/blockquote>\n<p>In short: For security reasons, it is sufficient to install the security updates of August 11, 2020 and subsequent patches. Administrators should then check which devices are still trying to communicate with the domain controller in an insecure manner and upgrade these devices for secure communication. Only then could the final protection be achieved by setting a registry entry listed in the support article. This will be enforced by Microsoft in February 2021 at the latest by means of a security update.  <\/p>\n<p><strong>Similar articles:<br \/><\/strong><a href=\"https:\/\/borncity.com\/win\/2020\/08\/12\/patchday-windows-10-updates-august-11-2020\/\">Patchday: Windows 10-Updates (August 11, 2020)<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2020\/08\/12\/patchday-windows-8-1-server-2012-updates-august-11-2020\/\">Patchday: Windows 8.1\/Server 2012-Updates (August 11, 2020)<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2020\/08\/12\/patchday-updates-for-windows-7-server-2008-r2-august-11-2020\/\">Patchday: Updates for Windows 7\/Server 2008 R2 (August 11, 2020)<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2020\/09\/18\/0patch-fixt-zerologon-cve-2020-1472-in-windows-server-2008-r2\/\">0patch fixes Zerologon (CVE-2020-1472) vulnerability in Windows Server 2008 R2<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2020\/08\/17\/windows-domain-controller-erzeugen-pltzlich-eventid-5829-warnungen-11-8-2020\/\">Windows Domain Controller suddenly generate EventID 5829 warnings (August 11, 2020)<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2020\/09\/16\/windows-server-zerologon-sicherheitslcke-cve-2020-1472-erlaubt-domain-bernahme\/\">Windows Server: Zerologon vulnerability (CVE-2020-1472) allows domain hijacking<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2020\/09\/12\/windows-10-v1607-update-kb4571694-creates-id-5827-events-bricks-mmc\/\">Windows 10 V1607: Update KB4571694 creates ID 5827 events, bricks MMC<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2020\/09\/21\/cisa-warnung-patcht-eure-windows-server-gegen-cve-2020-1472-zerologon\/\">CISA Warning: Patch your Windows Servers against CVE-2020-1472 (Zerologon)<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2020\/09\/24\/zerologon-exploits-werden-ausgenutzt-patchen-windows-server-samba-ist-angesagt\/\">Zerologon Exploits are used in the wild, patching (Windows Server, Samba) recommended<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]Microsoft has revised and clarified its guidance on how to close the Netlogon vulnerability in Windows Server installations that act as domain controllers. This is in response to feedback from users who were confused by previous support posts.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[580,22,2],"tags":[2569,69,195,159],"class_list":["post-16133","post","type-post","status-publish","format-standard","hentry","category-security","category-update","category-windows","tag-cve-2020-1472","tag-security","tag-update","tag-windows-server"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/16133","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=16133"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/16133\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=16133"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=16133"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=16133"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}