Netlogon Elevation of Privilege Vulnerability
Released: Aug 11, 2020
Last updated: Feb 11, 2021
- Assigning CNA
- Microsoft
- CVE.org link
- CVE-2020-1472
- Impact
- Elevation of Privilege
- Max Severity
- Critical
- Vector String
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
- Metrics
- CVSS:3.1 5.5 / 5.0Base score metrics: 5.5 / Temporal score metrics: 5.0
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Exploit Code Maturity
Proof-of-Concept
Remediation Level
Official Fix
Report Confidence
Confirmed
Please see Common Vulnerability Scoring System for more information on the definition of these metrics.
Executive Summary
An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network.
To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access.
Microsoft is addressing the vulnerability in a phased two-part rollout. These updates address the vulnerability by modifying how Netlogon handles the usage of Netlogon secure channels.
For guidelines on how to manage the changes required for this vulnerability and more information on the phased rollout, see How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472 (updated September 28, 2020).
When the second phase of Windows updates become available in Q1 2021, customers will be notified via a revision to this security vulnerability. If you wish to be notified when these updates are released, we recommend that you register for the security notifications mailer to be alerted of content changes to this advisory. See Microsoft Technical Security Notifications.
Exploitability
The following table provides an exploitability assessment for this vulnerability at the time of original publication.
- Publicly disclosed
- No
- Exploited
- No
- Exploitability assessment
- Exploitation More Likely
FAQ
Do I need to take further steps to be protected from this vulnerability?
Yes. Installing the August 11, 2020 updates on the domain controllers protects the Windows-based machine accounts, the trust accounts, and the domain controller accounts.
Active Directory machine accounts for domain joined third-party devices are not protected until enforcement mode is deployed. Machine accounts are also not protected if they are added to the "Domain controller: Allow vulnerable Netlogon secure channel connections" group policy. See How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472 for more details.
If I install the updates and take no further action, what will be the impact?
During the initial deployment phase starting with the updates released August 11, 2020 or later, the updates can be installed without added further action, and Windows devices and Domain Controllers (DCs) will be protected from this vulnerability. Third-party devices will be allowed to make vulnerable connections and might allow attack until enforcement mode is enabled. Organizations will need to monitor for and address potential issues before the Q1 2021 DC enforcement phase or risk devices being denied access. Note Any device in the allow list will be allowed to use vulnerable connections and could expose your environment to the attack. For more information, see How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472.
How does Microsoft plan to address this vulnerability?
Microsoft is addressing this vulnerability in a phased rollout. The initial deployment phase starts with the Windows updates released on August 11, 2020. The updates will enable the Domain Controllers (DCs) to protect Windows devices by default, log events for non-compliant device discovery, and have the option to enable protection for all domain-joined devices with explicit exceptions.
The second phase, planned for a Q1 2021 release, marks the transition into the enforcement phase. The DCs will be placed in enforcement mode, which requires all Windows and non-Windows devices to use secure Remote Procedure Call (RPC) with Netlogon secure channel or to explicitly allow the account by adding an exception for any non-compliant device.
What is a non-compliant device?
A non-compliant device is one that uses a vulnerable Netlogon secure channel connection.
Why is there a staged or phased rollout?
There are many non-Windows device implementations of the Netlogon Remote Protocol (also called MS-NRPC). To ensure that vendors of non-compliant implementations can provide customers with updates, a second release that is planned for Q1 2021 will enforce protection for all domain-joined devices.
Why do I need to follow the guidelines in How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472?
If the guidelines from the KB article are not followed, your organization risks devices in your environment being denied access when the enforcement phase starts in Q1 2021. If there are currently no non-compliant devices in your environment, you can move to enforcement mode for further protection in advance of required enforcement.
Important update: On September 28, 2020, How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472 was updated to provide clarity on new questions and to reinforce actions customers need to take to ensure they are protected.
How can I be notified when the second release is available in Q1 2021?
When the second phase of Windows updates become available, customers will be notified via a revision to this security vulnerability. If you wish to be notified when these updates are released, we recommend that you register for the security notifications mailer to be alerted of content changes to this advisory. See Microsoft Technical Security Notifications.
Acknowledgements
- Zhiniang Peng (@edwardzpeng) & Xuefeng Li (@lxf02942370)
- Tom Tervoort of Secura
Security Updates
To determine the support lifecycle for your software, see the Microsoft Support Lifecycle.
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
Disclaimer
Revisions
Microsoft is announcing the release of the second phase of Windows security updates to address this vulnerability. February 9, 2021 and superseding Windows Updates enable enforcement mode on all supported Windows Domain Controllers and will block vulnerable connections from non-compliant devices unless manually added to a security group referenced in "Domain controller: Allow vulnerable Netlogon secure channel connections" group policy (https://support.microsoft.com/en-us/help/4557222#theGroupPolicy). Adding hostnames to the exception policy allows attackers to impersonate such accounts. Administrators will not be able to disable or override enforcement mode. For more information about enforcement mode, see (1.) Step 3b: Enforcement Phase in https://support.microsoft.com/kb/4557222 and (2.) the FAQ section of this CVE-2020-1472. Microsoft strongly recommends that customers install the February updates to be fully protected from this vulnerability. Customers whose Windows devices are configured to receive automatic updates do not need to take any further action.
Updated FAQ to clarify how the updates released on August 11, 2020 provide protection from this vulnerability, and to emphasize that customers need to take further action to fully protect their environments.
Updated FAQ to announce that How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472 (https://support.microsoft.com/kb/4557222) has been updated to provide clarity on new questions and to reinforce actions customers need to take to ensure they are protected.
Information published.
Updated one or more CVSS scores for the affected products. This is an informational change only.