Netlogon Elevation of Privilege Vulnerability

Security Vulnerability

Released: Aug 11, 2020

Last updated: Feb 11, 2021

Assigning CNA
Microsoft
CVE.org link
CVE-2020-1472
Impact
Elevation of Privilege
Max Severity
Critical
Vector String
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C

Please see Common Vulnerability Scoring System for more information on the definition of these metrics.

Executive Summary

An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network.

To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access.

Microsoft is addressing the vulnerability in a phased two-part rollout. These updates address the vulnerability by modifying how Netlogon handles the usage of Netlogon secure channels.

For guidelines on how to manage the changes required for this vulnerability and more information on the phased rollout, see How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472 (updated September 28, 2020).

When the second phase of Windows updates become available in Q1 2021, customers will be notified via a revision to this security vulnerability. If you wish to be notified when these updates are released, we recommend that you register for the security notifications mailer to be alerted of content changes to this advisory. See Microsoft Technical Security Notifications.

Exploitability

The following table provides an exploitability assessment for this vulnerability at the time of original publication.

Publicly disclosed
No
Exploited
No
Exploitability assessment
Exploitation More Likely

FAQ

Do I need to take further steps to be protected from this vulnerability?

Yes. Installing the August 11, 2020 updates on the domain controllers protects the Windows-based machine accounts, the trust accounts, and the domain controller accounts.

Active Directory machine accounts for domain joined third-party devices are not protected until enforcement mode is deployed. Machine accounts are also not protected if they are added to the "Domain controller: Allow vulnerable Netlogon secure channel connections" group policy. See How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472 for more details.

If I install the updates and take no further action, what will be the impact?

During the initial deployment phase starting with the updates released August 11, 2020 or later, the updates can be installed without added further action, and Windows devices and Domain Controllers (DCs) will be protected from this vulnerability. Third-party devices will be allowed to make vulnerable connections and might allow attack until enforcement mode is enabled. Organizations will need to monitor for and address potential issues before the Q1 2021 DC enforcement phase or risk devices being denied access. Note Any device in the allow list will be allowed to use vulnerable connections and could expose your environment to the attack. For more information, see How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472.

How does Microsoft plan to address this vulnerability?

Microsoft is addressing this vulnerability in a phased rollout. The initial deployment phase starts with the Windows updates released on August 11, 2020. The updates will enable the Domain Controllers (DCs) to protect Windows devices by default, log events for non-compliant device discovery, and have the option to enable protection for all domain-joined devices with explicit exceptions.

The second phase, planned for a Q1 2021 release, marks the transition into the enforcement phase. The DCs will be placed in enforcement mode, which requires all Windows and non-Windows devices to use secure Remote Procedure Call (RPC) with Netlogon secure channel or to explicitly allow the account by adding an exception for any non-compliant device.

What is a non-compliant device?

A non-compliant device is one that uses a vulnerable Netlogon secure channel connection.

Why is there a staged or phased rollout?

There are many non-Windows device implementations of the Netlogon Remote Protocol (also called MS-NRPC). To ensure that vendors of non-compliant implementations can provide customers with updates, a second release that is planned for Q1 2021 will enforce protection for all domain-joined devices.

Why do I need to follow the guidelines in How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472?

If the guidelines from the KB article are not followed, your organization risks devices in your environment being denied access when the enforcement phase starts in Q1 2021. If there are currently no non-compliant devices in your environment, you can move to enforcement mode for further protection in advance of required enforcement.

Important update: On September 28, 2020, How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472 was updated to provide clarity on new questions and to reinforce actions customers need to take to ensure they are protected.

How can I be notified when the second release is available in Q1 2021?

When the second phase of Windows updates become available, customers will be notified via a revision to this security vulnerability. If you wish to be notified when these updates are released, we recommend that you register for the security notifications mailer to be alerted of content changes to this advisory. See Microsoft Technical Security Notifications.

Acknowledgements

  • Zhiniang Peng (@edwardzpeng) & Xuefeng Li (@lxf02942370)
  • Tom Tervoort of Secura
Microsoft recognizes the efforts of those in the security community who help us protect customers through coordinated vulnerability disclosure. See Acknowledgements for more information.

Security Updates

To determine the support lifecycle for your software, see the Microsoft Support Lifecycle.

Release date Descending

Disclaimer

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions

How satisfied are you with the MSRC Security Update Guide?