A security flaw in a Netlogon authentication protocol validates the authentication on domain-based networks.
NETLOGON PROTOCOL
The Netlogon Remote Protocol is used to maintain domain relationships between the members of a domain and the domain controller (DC),
Port Number: 389: Lightweight Directory Access Protocol
Working of Netlogon
A Client Challenge is sent from the Client
A Server Challenge is sent from the server
A Session key is created from session secret and challenges
Both client and server utilize the previously made session key to and the Challenges to create client/server credentials
both credentials together with the session key will be used to authenticate the user
CVE-2020-1472 | Zerologin
The exploitation consists of sending a large number of authentication requests to a Domain Controller via NetLogon. These contain a client request which contains only 0’s for the credentials and results in a successful login when a good key is chosen randomly by the server.
A good key is chosen on average 1 in 256 times.
In other words, by simply sending a large number of Netlogon messages in which various fields are filled with zeroes,
an attacker can change the computer password of the domain controller that is stored in the Active Directory
Zero login poses a major threat to organizations as it targets the Domain Controller (DC).
Working of CVE-2020-1472
Detection And Mitigations
Monitor event ID 4742
Check for ANONYMOUS LOGON users
Monitor event ID 4648 (Logins using explicit credentials) with suspicious processes.
Mitigation
UPDATE your Domain Controllers with an update released August 11, 2020 or later
Reference
https://www.crowhttps://www.crowdstrike.com/blog/cve-2020-1472-zerologon-security-advisory/
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-1472
Comments