CISA Warns of Public Exploit for Windows Netlogon Remote Protocol Vulnerability

CISA has published information on a critical vulnerability in the Microsoft Windows Netlogon Remote Protocol (MS-NRPC) now that a public exploit for the flaw has been released. If exploited, an attacker could gain access to a domain controller with administrator privileges.

MS-NRPC is a core component of Active Directory that provides authentication for users and accounts. “The Netlogon Remote Protocol (MS-NRPC) is an RPC interface that is used exclusively by domain-joined devices. MS-NRPC includes an authentication method and a method of establishing a Netlogon secure channel,” explained Microsoft.

The vulnerability, tracked as CVE-2020-1472, is an elevation of privilege vulnerability that can be exploited when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller. MS-NRPC reuses a known, static, zero-value initialization vector (IV) in AES-CFB8 mode, which would allow an unauthenticated attacker to impersonate a domain-joined computer, including a domain controller, and gain domain administrator privileges.

Microsoft is addressing the vulnerability in a phased two-part roll out. Microsoft released a patch for the vulnerability on August 2020 Patch Tuesday which changes Netlogon client behavior to use secure RPC with Netlogon secure channel between member computers and Active Directory (AD) domain controllers (DC). The second “enforcement phase” is planned for Q1, 2021, on or after February 9, 2021, and will be deployed automatically.

Microsoft explained the “changes to the Netlogon protocol have been made to protect Windows devices by default, log events for non-compliant device discovery, and add the ability to enable protection for all domain-joined devices with explicit exceptions.”

The patch enforces secure RPC usage for machine accounts on Windows based devices, trust accounts, and all Windows and non-Windows DCs.  A new group policy is included to allow non-compliant device accounts.

“Mitigation consists of installing the update on all DCs and RODCs, monitoring for new events, and addressing non-compliant devices that are using vulnerable Netlogon secure channel connections,” explained Microsoft. “Machine accounts on non-compliant devices can be allowed to use vulnerable Netlogon secure channel connections; however, they should be updated to support secure RPC for Netlogon and the account enforced as soon as possible to remove the risk of attack.”

After deploying the patch, monitoring should take place to identify warning events and actions are required on each of those events. All warning events must be resolved before the February 2021 enforcement phase begins.

Deployment guidelines for the August 2020 patch are detailed here.

The February patch will transition into the enforcement phase and will put DCs into enforcement mode regardless of the enforcement mode registry key, forcing all Windows and non-Windows devices to use secure RPC with Netlogon secure channel or explicitly allow the account by adding an exception for the non-compliant device.  The update will also remove logging as all vulnerable connections will be denied.

If the August 2020 patch has not yet been applied, systems will be vulnerable to attack. CISA warns that the flaw is an attractive target for attackers and immediate patching is strongly recommended. Should the vulnerability be exploited, and the Active Directory infrastructure compromised, significant damage can be caused, and the attack will be costly to mitigate.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.