Getty Images/iStockphoto

Exploit Code Prompts CISA Alert to Microsoft Netlogon Vulnerability

A publicly available exploit code for a vulnerability that allows for elevation of privilege in Microsoft’s Netlogon will be an attractive target for cybercriminals, DHS CISA warns.

A recent public exploit for an elevation of privilege vulnerability found in Microsoft’s Netlogon will make unpatched systems a prime target for cybercriminals, according to a recent Department of Homeland Security Cybersecurity and Infrastructure Security alert.

A secondary notice from CERT Coordination Center noted: 

"An unauthenticated attacker with network access to a domain controller can impersonate any domain-joined computer, including a domain controller. Among other actions, the attacker can set an empty password for the domain controller's Active Directory computer account, causing a denial of service, and potentially allowing the attacker to gain domain administrator privileges."

The compromise of Active Directory infrastructure is likely a significant and costly impact.

The CVE-2020-1472 flaw exists when a hacker is able to establish a vulnerable Netlogon secure connection to a domain controller through the Netlogon Remote Protocol (MS-NRPC). The protocol is an RPC interface exclusively used by domain-connected devices. 

MS-NRPC uses an authentication method and another technique to establish a Netlogon secure channel. To exploit the flaw, the hacker would need to use the MS-NRPC to connect to a domain controller to gain domain administrator access. 

A successful exploit could allow the threat actor to run a specially crafted application on a network device. Microsoft provided a patch as part of a two-part rollout for the flaw in August, which modifies how the Netlogon handles the use of secure channels. 

The second part of the Windows update will be released during the first quarter of 2021. However, hackers have already released a public exploit for the flaw, which could increase the risk of exploit if the organization has failed to apply the first patch and or recommended mitigation steps. 

DHS CISA is urging organizations to review the Microsoft security advisory from August, as well as insights on how to manage changes to Netlogon secure channel connections as they relate to the vulnerability. 

The initial update enforces secure RPC use for machine accounts, trust accounts, and for all Windows and non-Windows DCs. It also created a new group policy to allow non-compliant device accounts  

“Even when DCs are running in enforcement mode or after the Enforcement phase starts, allowed devices will not be refused connection,” Microsoft explained at the time. 

“This security update addresses the vulnerability by enforcing secure RPC when using the Netlogon secure channel in a phased release,” they added. “To provide AD forest protection, all DCs, must be updated since they will enforce secure RPC with Netlogon secure channel. This includes read-only domain controllers (RODC).” 

Microsoft explained that organizations can further mitigate the vulnerability by installing the update on DCs and RODCs, monitoring for new events, and addressing non-compliant devices, or those still vulnerable to the flaw and using the vulnerable Netlogon secure channel. 

While organizations can allow machine accounts used on non-compliant devices to leverage the Netlogon secure channel, Microsoft stressed that the devices should be updated to support a secure RPC for the Netlogon and enforce the account when possible to alleviate the risk of cyberattack. 

In February 2021, Microsoft plans to transition into the enforcement phase of the software update, which will force DCs into the enforcement mode “regardless of the enforcement mode registry key.” 

“This requires all Windows and non-Windows devices to use secure RPC with Netlogon secure channel or explicitly allow the account by adding an exception for the non-compliant device,” Microsoft explained. 

The forthcoming release will enforce secure RPC use for machine accounts on non-Windows based devices, unless an administrator allows for the domain controller group policy to allow for vulnerable Netlogon secure channel connections. 

The update will also remove logging of Event ID 5829, as the patch will deny all vulnerable connections unless specified. 

“Once all warning events have been addressed, full protection can be enabled by deploying DC enforcement mode,” Microsoft explained. "All warnings should be resolved before the February 9, 2021 enforcement phase update.” 

“By default, supported versions of Windows that have been fully updated should not be using vulnerable Netlogon secure channel connections,” they added. “If one of these events is logged in the system event log for a Windows device: Confirm that the device is running a supported versions of Windows, ensure the device is fully updated …" 

Organizations should also verify the domain member is enabled to always digitally encrypts or signs secure channel data. 

The alert comes on the heels of a DHS CISA report that shows hackers with ties to Iran are targeting several critical vulnerabilities in a range of US organizations, including those in healthcare. Multiple hacking groups actively scan for vulnerabilities, and coupled with a public exploit, it’s critical entities patch this known vulnerability to avoid system compromise.

Next Steps

Dig Deeper on Cybersecurity strategies