CISA Gives Warning On the Public Exploit for Windows Netlogon Remote Protocol Vulnerability

CISA has issued an advisory on a critical vulnerability identified in the Microsoft Windows Netlogon Remote Protocol (MS-NRPC) because there is a public exploit for the vulnerability now released. An attacker could exploit the vulnerability and get domain controller access using administrator privileges.

MS-NRPC is a key part of Active Directory that authenticates users and accounts. Microsoft explained that MS-NRPC is an RPC interface that is employed specifically by domain-joined devices. It consists of an authentication process and a method of setting up a Netlogon secure channel.

The vulnerability, monitored as CVE-2020-1472, is a higher privilege vulnerability that an attacker could exploit by establishing an insecure Netlogon secure channel link to a domain controller. MS-NRPC reutilizes an identified, fixed, zero-value initialization vector (IV) in AES-CFB8 mode This is going to permit an unauthenticated attacker to imitate a domain-joined computer, which includes a domain controller, and acquire domain administrator privileges.

Microsoft is dealing with the vulnerability in two phases. Microsoft first introduced a patch on August 2020 Patch Tuesday. The patch alters Netlogon client behavior to utilize secure RPC with Netlogon protected channel involving member computer systems and Active Directory (AD) domain controllers (DC). The next phase is scheduled for Q1 2021, some time on February 9, 2021, and is going to be available automatically.

Microsoft mentioned that the modifications to the Netlogon protocol were made to keep Windows devices secure by default, record events for non-compliant device discovery, and include the capability to activate protection for all domain-joined devices having specific exceptions.

The patch implements safe RPC usage for machine accounts on gadgets that are Windows-based, trust accounts, as well as Windows and non-Windows DCs. There is a new group policy included to permit non-compliant device providers.

Mitigation includes updating all DCs and RODCs, tracking for new activities, and handling non-compliant devices that use vulnerable Netlogon secure channel networks. It is allowed for machine accounts on non-compliant devices to utilize vulnerable Netlogon secure channel connections; but, they must be up to date to secure RPC for Netlogon and enforce the account immediately to get rid of the possibility of an attack.

After implementing the patch, keeping track is necessary to recognize warning events and decide the actions needed on each one of those events. All warning events should be fixed prior to the start of the February 2021 enforcement phase.

Read the deployment guidelines for the patch released in August 2020 on this link.

The February patch is going to move into the enforcement stage and is going to put DCs into enforcement mode irrespective of the enforcement mode registry key so that all Windows and non-Windows devices will use secure RPC with Netlogon secure channel or clearly enable the account by including an exemption for the non-compliant gadget.  The update is going to eliminate logging since all vulnerable connections are going to be rejected as well.

Systems that have not used the August 2020 patch are going to be prone to attack. CISA cautions that the vulnerability is an appealing target for threat actors and quick patching is highly advised. If the vulnerability is exploited compromising the Active Directory infrastructure, there might be considerable damage, it will be very costly to mitigate the attack.