CVE-2020-1472 · threatengine.sh

Home/CVE/Microsoft Netlogon Privilege Escalation Vulnerability

CVE

CVE-2020-1472

Microsoft Netlogon Privilege Escalation Vulnerability

An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network. To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access.

Microsoft is addressing the vulnerability in a phased two-part rollout. These updates address the vulnerability by modifying how Netlogon handles the usage of Netlogon secure channels. For guidelines on how to manage the changes required for this vulnerability and more information on the phased rollout, see How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472 (updated September 28, 2020).

When the second phase of Windows updates become available in Q1 2021, customers will be notified via a revision to this security vulnerability. If you wish to be notified when these updates are released, we recommend that you register for the security notifications mailer to be alerted of content changes to this advisory. See Microsoft Technical Security Notifications.

MEDIUM · CVSS 5.5 ⚠ CISA KEV EPSS 0.9438 Ransomware: known

Act now

Listed on CISA KEV (known exploited in the wild)
Linked to known ransomware campaigns
SSVC exploitation status: active
EPSS ≥ 0.50 - high probability of exploitation in the next 30 days
EPSS percentile: top 0% of all CVEs by exploitation likelihood
Public exploit or PoC is available
SSVC automatable: yes - attacks can be scripted at scale

Sigma rules12 YARA rules0

⬢

Required Remediation

Apply updates per vendor instructions.

◆

Threat Actors Linked

23

actorTA505
actorALPHV / BlackCat
actorAndariel
actorAPT33
actorOilRig
actorBianLian
Show all 23 actorsactorBlack Basta
actorCuba
actorGALLIUM
actorHive
actorIndrik Spider
actorLazarus Group
actorLockBit Operators
actorMaze
actorMedusa
actorOceanLotus / APT32
actorQilin
actorRansomHub
actorREvil
actorRhysida
actorRoyal / BlackSuit
actorSandworm Team
actorVice Society / Vanilla Tempest

▤

Affected Products & Versions

17

microsoft windows server 1903all versions
microsoft windows server 1909all versions
microsoft windows server 2004all versions
microsoft windows server 2008all versions
microsoft windows server 2012all versions
microsoft windows server 2016all versions
microsoft windows server 2019all versions
microsoft windows server 20h2all versions
Show all 17 affected productsfedoraproject fedoraall versions
opensuse leapall versions
canonical ubuntu linuxall versions
synology directory server< 4.4.5-0101
samba< 4.10.18
samba>= 4.11.0 and < 4.11.13
samba>= 4.12.0 and < 4.12.7
debian linuxall versions
oracle zfs storage appliance kitall versions

⚠

Public Exploits & PoCs

3

remoteZeroLogon - Netlogon Elevation of Privilege2020-11-18
pocpacketstormsecurity.com · Zerologon-Proof-Of-Concept.htmlpacketstormsecurity.com
pocpacketstormsecurity.com · Zerologon-Netlogon-Privilege-Escalation.htmlpacketstormsecurity.com

◈

Detection Rules (IDS/IPS)

9

et-openET EXPLOIT Possible Zerologon NetrServerAuthenticate with 0x00 Client Credentials (CVE-2020-1472)attempted-admin

et-openET INFO [401TRG] RPCNetlogon UUID (CVE-2020-1472) (Set)misc-activity

et-openET EXPLOIT Possible Zerologon Phase 1/3 - NetrServerReqChallenge with 0x00 Client Challenge (CVE-2020-1472)attempted-admin

et-openET EXPLOIT Zerologon Phase 2/3 - NetrServerAuthenticate2 Request with 0x00 Client Challenge and Sign and Seal Disabled (CVE-2020-1472) M2attempted-admin

et-openET EXPLOIT Zerologon Phase 3/3 - NetrLogonSamLogonWithFlags Request with 0x00 Client Credentials (CVE-2020-1472)attempted-admin

et-openET EXPLOIT Zerologon Phase 2/3 - NetrServerAuthenticate2 Request with 0x00 Client Challenge and Sign and Seal Disabled (CVE-2020-1472) M1attempted-admin

Show all 9 detection rules

et-openET EXPLOIT Zerologon Phase 2/3 - NetrServerAuthenticate3 Request with 0x00 Client Challenge and Sign and Seal Disabled (CVE-2020-1472) M1attempted-admin

et-openET EXPLOIT Zerologon Phase 2/3 - NetrServerAuthenticate3 Request with 0x00 Client Challenge and Sign and Seal Disabled (CVE-2020-1472) M2attempted-admin

et-openET EXPLOIT Zerologon Phase 3/3 - Malicious NetrServerPasswordSet2 (CVE-2020-1472)attempted-admin

Open rulesets (ET Open, Snort Community, abuse.ch) link to source. Commercial rulesets are reference-only.

◈

Sigma Hunt Rules

12

Exact rules name this CVE ID. Product rules name an affected product in their title. Related rules cover techniques used by actors who exploited this CVE. Showing the most relevant matches; the complete related set is on the full drill-down.

exactcriticalZerologon Exploitation Using Well-known Tools

exacthighVulnerable Netlogon Secure Channel Connection Allowed

relatedcriticalBitbucket Unauthorized Full Data Export Triggered

relatedcriticalBitbucket Unauthorized Access To A Resource

relatedcriticalAntivirus Exploitation Framework Detection

relatedcriticalAntivirus Password Dumper Detection

Show all 12 top matchesrelatedcriticalAntivirus Ransomware Detection
relatedcriticalWebshell Remote Command Execution
relatedcriticalPossible Coin Miner CPU Priority Param
relatedcriticalCobalt Strike DNS Beaconing
relatedcriticalBad Opsec Powershell Code Artifacts
relatedcriticalSilence.EDA Detection

See all related Sigma rules for this CVE

▣

Scoring & Timeline

5.5

MEDIUM · CVSS v3.1 · secure@microsoft.com

View on NVD

Attack Vector

Network Adjacent Local Physical

Attack Complexity

Low High

Privileges Required

None Low High

User Interaction

None Required

Scope

Unchanged Changed

Confidentiality

None Low High

Integrity

None Low High

Availability

None Low High

Published to NVD17 Aug 2020 · 07:15 PM

CVSS VectorCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

SSVC triage · cisa-vulnrichment

Exploitation

active

Automatable

yes

Technical impact

total

SSVC asks the questions that actually drive patch urgency: is it being exploited, can attacks be automated, and how total is the impact.

⚑

Vendor Advisories

24

suse-csafopenSUSE-SU-2024:11365-1
suse-csafopenSUSE-SU-2024:11370-1
suse-csafopenSUSE-SU-2024:11371-1
suse-csafsuse-fu-2022_4496-1
cisaKEV-CVE-2020-1472
Show all 24 vendor advisoriesrhsaRHSA-2021:3723Moderate
rhsaRHSA-2021:1647Moderate
rhsaRHBA-2021:1503Moderate
rhsaRHSA-2020:5439Moderate
usnUSN-4559-1
msrcCVE-2020-1472Elevation of Privilege
suse-csafopenSUSE-SU-2020:1526-1
suse-csafopenSUSE-SU-2020:1513-1
suse-csafSUSE-SU-2020:2719-1
suse-csafSUSE-SU-2020:2720-1
suse-csafSUSE-SU-2020:2721-1
suse-csafSUSE-SU-2020:2722-1
suse-csafSUSE-SU-2020:2724-1
suse-csafSUSE-SU-2020:2730-1
usnUSN-4510-2
usnUSN-4510-1
splunk-security-content1400624a-d42d-484d-8843-e6753e6e3645
splunk-security-contentbf7a06ec-f703-11ea-adc1-0242ac120002
ctid-attack-flowctid-attack-flow-corpus-Hancitor-DLL.afb

🔗

References & Sources

16

Source URLs (vendor pages, mailing lists, write-ups). Exploit/PoC links are in their own section above to avoid duplication.

http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00080.htmlMailing ListThird Party Advisory

http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00086.htmlMailing ListThird Party Advisory

http://www.openwall.com/lists/oss-security/2020/09/17/2Mailing ListThird Party Advisory

https://lists.debian.org/debian-lts-announce/2020/11/msg00041.htmlMailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H4OTFBL6YDVFH2TBJFJIE4FMHPJEEJK3/Mailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ST6X3A2XXYMGD4INR26DQ4FP4QSM753B/Mailing ListThird Party Advisory

Show all 16 references

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TAPQQZZAT4TG3XVRTAFV2Y3S7OAHFBUP/Mailing ListThird Party Advisory

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472PatchVendor Advisory

https://security.gentoo.org/glsa/202012-24Third Party Advisory

https://usn.ubuntu.com/4510-1/Third Party Advisory

https://usn.ubuntu.com/4510-2/Third Party Advisory

https://usn.ubuntu.com/4559-1/Third Party Advisory

https://www.kb.cert.org/vuls/id/490028Third Party AdvisoryUS Government Resource

https://www.oracle.com/security-alerts/cpuApr2021.htmlPatchThird Party Advisory

https://www.synology.com/security/advisory/Synology_SA_20_21Third Party Advisory

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-1472US Government Resource

Intelligence Graph · click any node to traverse

CVETechnique ActorTool Family

drag to reposition · click any node to traverse · button top-right enlarges

External lookups - second-class, for what we don’t hold ourselves

NVD CVE.org CISA Vulners Exploit-DB GitHub PoC VulnCheck KEV GreyNoise

Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities

Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs

Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures

Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1

About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service

threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin