top of page
Writer's pictureHarisuthan

Zerologon Vulnerability | CVE-2020-1472



A security flaw in a Netlogon authentication protocol validates the authentication on domain-based networks.


NETLOGON PROTOCOL



The Netlogon Remote Protocol is used to maintain domain relationships between the members of a domain and the domain controller (DC),


Port Number: 389: Lightweight Directory Access Protocol


Working of Netlogon

  1. A Client Challenge is sent from the Client

  2. A Server Challenge is sent from the server

  3. A Session key is created from session secret and challenges

  4. Both client and server utilize the previously made session key to and the Challenges to create client/server credentials

  5. both credentials together with the session key will be used to authenticate the user


CVE-2020-1472 | Zerologin


The exploitation consists of sending a large number of authentication requests to a Domain Controller via NetLogon. These contain a client request which contains only 0’s for the credentials and results in a successful login when a good key is chosen randomly by the server.


A good key is chosen on average 1 in 256 times.


In other words, by simply sending a large number of Netlogon messages in which various fields are filled with zeroes,


an attacker can change the computer password of the domain controller that is stored in the Active Directory


Zero login poses a major threat to organizations as it targets the Domain Controller (DC).


Working of CVE-2020-1472

Detection And Mitigations

  1. Monitor event ID 4742

  2. Check for ANONYMOUS LOGON users

  3. Monitor event ID 4648 (Logins using explicit credentials) with suspicious processes.

Mitigation

  1. UPDATE your Domain Controllers with an update released August 11, 2020 or later

Reference




113 views0 comments

Comments


bottom of page