Source: Monta Elkins, Hacker-In-Chief
The CVE-2020-1472 vulnerability allows an unauthenticated attacker to completely compromise all Active Directory services. This vulnerability has been dubbed “Zerologon” by the security company that discovered it, Secura (link to their technical whitepaper below), and has received a CVSS score of 10.0 from Microsoft.
CISA Released and emergency directive (20-04) in response. Federal agencies are required to comply with this directive. The directive requires updates for all windows domain controllers by the end of the day Monday, September 21, 2020.
Microsoft says the updates will be released in two phases: the initial phase was released on August 11, 2020, and the enforcement phase to be released on or after February 9, 2021.
As far as vulnerabilities go, this is about as bad as it gets. Make sure you patch all of your domain controllers (including your read-only domain controllers) if you haven’t already.
Technical Details of “Zerologon” from the vulnerability researcher Tom Tervoort of Secura
Implementation Information from Microsoft https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc
Exploit Released https://us-cert.cisa.gov/ncas/current-activity/2020/09/14/exploit-netlogon-remote-protocol-vulnerability-cve-2020-1472
Microsoft’s Statement on CVE-2020-1472 https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472
CISA Releases Directive https://us-cert.cisa.gov/ncas/current-activity/2020/09/18/cisa-releases-emergency-directive-microsoft-windows-netlogon
CISA Emergency Directive https://cyber.dhs.gov/ed/20-04/