Security News > 2020 > September > Are your domain controllers safe from Zerologon attacks?
CVE-2020-1472 affects all supported Windows Server versions, but the danger is highest for servers that function as Active Directory domain controllers in enterprise networks.
"By simply sending a number of Netlogon messages in which various fields are filled with zeroes, an attacker can change the computer password of the domain controller that is stored in the AD. This can then be used to obtain domain admin credentials and then restore the original DC password," Secura researchers explained.
All Active Directory domain controllers should be updated, including read-only domain controllers.
"The updates will enable the Domain Controllers to protect Windows devices by default, log events for non-compliant device discovery, and have the option to enable protection for all domain-joined devices with explicit exceptions," Microsoft explained.
Complete remediation will happen after organizations deploy Domain Controller enforcement mode, which requires all Windows and non-Windows devices to use secure NRPC or to explicitly allow the account by adding an exception for any non-compliant device.
News URL
http://feedproxy.google.com/~r/HelpNetSecurity/~3/o0Nz03tF8nE/
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2020-08-17 | CVE-2020-1472 | Use of Insufficiently Random Values vulnerability in multiple products An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). | 0.0 |