Login
Start Free Trial
Back

February Trending CVEs: CVE-2020-1472

Mar 11, 2021

As stewards of the lush and vast landscape of security vulnerabilities, we felt obliged to share with you the top trending CVEs of the past month (who's excited for winter to be over?! 😁☀️🌷). Brace yourself! Ok, here we go.

CVE-2020-1472
Technical Background 

On August 11, 2020, Microsoft released a security update that includes a patch for a severe vulnerability in the NETLOGON protocol CVE-2020-1472. Since no primary technical information was published, the CVE failed to get much attention even though it received a maximum CVSS score of 10.

This vulnerability allows an unauthenticated attacker to access a domain controller, establish a vulnerable Netlogon session, and gain domain administrator privileges. 

The vulnerability is critical because the major requirement for a successful exploit is the ability to establish a connection with a domain controller.

Exploit Steps Overview  
  • Establish an unsecure Netlogon channel against a domain controller by performing a brute-force attack using an 8 zero-bytes challenge and ciphertext, while tricking the identity of that same domain controller. 
  • Use the NetrServerPasswordSet2 call to set the domain controller account’s password, as stored in Active Directory, to an empty one. This breaks some of the domain controller functionality since the password stored in the domain controller’s registry does not change.
  • Use the empty password to connect to that same domain controller and dump additional hashes by using the Domain Replication Service (DRS) protocol.
  • Revert the domain controller password to the original one as stored in the local registry to avoid detection.
  • Exploit the hashes dumped from stage 3 to perform any preferred attack.
Solution

Applying the Patch Tuesday update from Microsoft’s Advisory will fix the vulnerability. It enforces a remote procedure call (RPC) in the Netlogon protocol for all Windows devices. Microsoft made a revision to this advisory in February.

Visit the Vicarius Research Center for more information on CVEs and how to remediate them. You can also try a 30-day free trial of our TOPIA solution.

Prefer to listen instead? We got you covered 😏

Tags

  • #vicarius_blog

users/photos/ckzu2qthc003w0jnd2nqodctm.jpg

Written by

Kent Weigle

Recent Posts

  • 1

    CISAnalysis - September 30, 2022

    Evan Kling September 30, 2022

  • 2

    Not So Fast: Analyzing the FastCompany Hack

    John Kilhefner September 29, 2022

  • 3

    How to test application with ZAP - Part Two

    Jenny R September 28, 2022

  • 4

    How to test application with ZAP - Part One

    Jenny R September 28, 2022

  • 5

    The World's Worst Hackers Have Flags

    Paul Lighter September 27, 2022

Related Posts

By Evan Kling
Sep 30, 2022

CISAnalysis - September 30, 2022

Take me out to the ballgame! A double-header in Exchange Server is being exploited in the wild. These zero-days come as a pair like A-Rod and Jeter. But don't expect any SecOps or sysadmins to be watching baseball this weekend....they may have their hands full.
By John Kilhefner
Sep 29, 2022

Not So Fast: Analyzing the FastCompany Hack

When FastCompany's website was hacked late Tuesday night, it sent shockwaves through the media world, underscoring the importance of routine cybersecurity inspections for media companies. Now, in the wake of the prominent hack, media companies are scrambling to secure their content management systems.
By Jenny R
Sep 28, 2022

How to test application with ZAP - Part Two

This part of the series covers how to create an Angular application, deploy it using Docker, and how to set up ZAP so you can start testing the application inside the test environment.
last_chanse_02.png

Start Closing Security Gaps

  • Risk reduction from Day 1
  • Fast set-up and deployment
  • Unified platform
  • Full-featured 30-day trial
Get a Demo
Start Free Trial!