Security News > 2020 > September > Are your domain controllers safe from Zerologon attacks?

Are your domain controllers safe from Zerologon attacks?
2020-09-15 09:58

CVE-2020-1472 affects all supported Windows Server versions, but the danger is highest for servers that function as Active Directory domain controllers in enterprise networks.

"By simply sending a number of Netlogon messages in which various fields are filled with zeroes, an attacker can change the computer password of the domain controller that is stored in the AD. This can then be used to obtain domain admin credentials and then restore the original DC password," Secura researchers explained.

All Active Directory domain controllers should be updated, including read-only domain controllers.

"The updates will enable the Domain Controllers to protect Windows devices by default, log events for non-compliant device discovery, and have the option to enable protection for all domain-joined devices with explicit exceptions," Microsoft explained.

Complete remediation will happen after organizations deploy Domain Controller enforcement mode, which requires all Windows and non-Windows devices to use secure NRPC or to explicitly allow the account by adding an exception for any non-compliant device.


News URL

http://feedproxy.google.com/~r/HelpNetSecurity/~3/o0Nz03tF8nE/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2020-08-17 CVE-2020-1472 Use of Insufficiently Random Values vulnerability in multiple products
An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC).
5.5

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Safe 1 0 4 4 0 8