DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2020-1472: Zerologon: When Bad Crypto Hands You the Keys to the Kingdom

#security #cve #cybersecurity

Zerologon: When Bad Crypto Hands You the Keys to the Kingdom

Vulnerability ID: CVE-2020-1472
CVSS Score: 10.0
Published: 2020-08-17

A catastrophic cryptographic failure in the Microsoft Netlogon Remote Protocol (MS-NRPC) allowed unauthenticated attackers to compromise an entire Active Directory domain in roughly three seconds. By exploiting a fixed Initialization Vector (IV) in the AES-CFB8 implementation, attackers could spoof a Domain Controller's identity and reset its machine account password to an empty string.

TL;DR

Zerologon allows any unauthenticated attacker on the network to become a Domain Admin by sending a string of zeros to a Domain Controller. It exploits a flaw in AES-CFB8 usage where the IV was hardcoded to null bytes, giving a 1/256 chance of successful authentication bypass.

⚠️ Exploit Status: WEAPONIZED

Technical Details

  • CWE ID: CWE-327: Use of a Broken or Risky Cryptographic Algorithm
  • Attack Vector: Network (AV:N)
  • CVSS v3.1: 10.0 (Critical)
  • Exploit Reliability: 100% (after ~256 attempts)
  • Impact: Full Domain Compromise (Privilege Escalation)
  • KEV Status: Listed (Active Exploitation)

Affected Systems

  • Windows Server 2008 R2
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows Server 2016
  • Windows Server 2019
  • Samba (acting as Domain Controller)
  • Windows Server: 2008 R2 - 2019 (Fixed in: KB4571703)
  • Samba: 4.0.0 <= version < 4.10.18 (Fixed in: 4.10.18)

Exploit Details

  • GitHub: Original Python PoC by dirkjanm
  • GitHub: RiskSense sophisticated exploit tool
  • GitHub: Exploit with password restore capability

Mitigation Strategies

  • Enforce Secure RPC for all Netlogon connections
  • Apply Microsoft August 2020 security updates (KB4571703) immediately
  • Monitor for Event IDs 5829 (Allowed vulnerable connection) and 5827 (Denied connection)
  • Disable the 'Allow vulnerable Netlogon secure channel connections' Group Policy

Remediation Steps:

  1. Install the August 2020 Update on all Domain Controllers.
  2. Monitor DC event logs for non-compliant devices using Event ID 5829.
  3. Address non-compliant devices by updating their drivers/firmware or replacing them.
  4. Once confident, enable 'Enforcement Mode' (default as of Feb 2021) to block all insecure connections.
  5. Verify that the registry key 'FullSecureChannelProtection' is set to 1.

References

Read the full report for CVE-2020-1472 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)