Microsoft recently released a patch (CVE-2020-1472) to fix a software issue in the Microsoft Windows Netlogon Remote Protocol (MS-NRPC). As noted on a Secura blog, an unauthenticated attacker with network access to a domain controller could exploit this vulnerability, dubbed Zerologon, to compromise all Active Directory (AD) identity services. An attacker does not need credentials to gain privileges on the network, only access to the domain. Install this update on your domain controllers as soon as possible if you have not done so already.
The Netlogon Remote Protocol is a remote procedure call (RPC) interface available on Windows domain controllers. It’s used to facilitate users logging into servers using the NTLM protocol. As Secura notes in its whitepaper, “By simply sending a number of Netlogon messages in which various fields are filled with zeroes, an attacker can change the computer password of the domain controller that is stored in the AD. This can then be used to obtain domain admin credentials and then restore the original DC password. This attack has a huge impact: it basically allows any attacker on the local network (such as a malicious insider or someone who simply plugged in a device to an on-premise network port) to completely compromise the Windows domain.”
The US Cybersecurity and Infrastructure Security Agency (CISA) warns that exploit code for this vulnerability has been released to the web, and Microsoft reports that it has already observed attacks where those public exploits have been used.
While Microsoft has patched CVE-2020-1472, you need to perform additional steps to be fully protected especially when interacting with non-Microsoft platforms. If you have installed the August 11 (or later) security updates to your domain controllers, that’s all you need to do for now, but there’s more to be done. If you install the patch on Windows devices, you are protected if you have a network that includes only supported Windows devices. Non-Microsoft devices that may not support this setting will expose your domain for attacks, and that’s why Microsoft will enforce secure RPC usage for accounts on non-Windows devices in February 2021.
