Microsoft Active Directory Netlogon Elevation of Privilege CVE-2020-1472

Summary

On August 11th, 2020 Microsoft publicly disclosed the existence of a critical severity Elevation of Priviledge (EOP) vulnerability that impacts all recent versions of Windows Server systems acting as Active Directory Domain Controllers (DCs). The vulnerability, CVE-2020-1472, impacts the Netlogon Remote Protocol (MS-NRPC). Successful exploitation of this vulnerability could allow attackers to execute arbitrary code on Active Directory Domain Controllers, potentially granting themselves access to a “Domain Administrator” account. 

The Netlogon Remote Protocol (MS-NRPC) is used within Active Directory deployments for authentication of users and machines. Netlogon is leveraged by Microsoft to maintain a secure channel between domain-joined machines and Domain Controllers to authenticate users and services. The protocol is also used by Domain Controllers to maintain relationships with other Domain Controllers, to maintain relationships across domains (in an Active Directory forest), and to discover and manage additional machine to domain relationships.

Microsoft has released a patch today to protect Active Directory Domain Controllers and other Windows devices. However, Microsoft plans to release additional patches in Q1 2021 which will enforce secure Remote Procedure Call (RPC) with Netlogon to fully address this bug. Organizations will need to make changes to their Active Directory domain controllers before Q1 2021 to avoid having devices within their environment denied access.

In order to fully mitigate this issue, Microsoft is leveraging a phased approach:

• August 11th, 2020: Microsoft released KB4565351 which includes patches to protect Domain Controllers and Windows devices from exploitation of this vulnerability.
• Q1 2021: Domain Controllers will be placed in enforcement mode, which will require all Windows and non-Windows devices to use secure Remote Procedure Call (RPC) with Netlogon secure channel. Organizations can also explicitly allow a subset of Active Directory accounts to be used for any non-compliant devices.

The Cyber Fusion Center strongly recommends all organizations apply Microsoft supplied patches to any impacted Windows Servers and workstations as soon as possible. The Cyber Fusion Center also recommends prioritizing installing these patches on Domain Controllers. For additional details regarding Microsoft’s phased approach to resolving this issue, please review the “solution” section of this advisory.

Affected software

The following Microsoft Windows Server versions are impacted if they are assigned the Domain Controller role:

• Windows Server 2008 R2 Service Pack 1 (For 64 bit devices)
• Windows Server 2012 All versions
• Windows Server 2016 All versions
• Windows Server 2019 All versions
• Windows Server version 1903 (Server Core Installation)
• Windows Server version 1909 (Server Core Installation)
• Windows Server version 2004 (Server Core Installation)

Impact

Successful exploitation of this vulnerability could allow attackers to execute arbitrary code on Active Directory Domain Controllers, potentially granting themselves access to a “Domain Administrator” account.

Solution & Action Required

Microsoft has released a patch today to protect Active Directory Domain Controllers and other Windows devices. However, Microsoft plans to release additional patches in Q1 2021 which will enforce secure Remote Procedure Call (RPC) with Netlogon to fully address this bug. Organizations will need to make changes to their Active Directory domain controllers before Q1 2021 to avoid having devices within their environment denied access. If any domain controllers within an Active Directory forest are not properly configured after the Q1 2021 patch is deployed, communication between domains may fail.

In order to fully mitigate this issue, Microsoft is leveraging a phased approach:

• August 11th, 2020: Microsoft released KB4565351 which includes patches to protect Domain Controllers and Windows devices from the exploitation of this vulnerability.
• Q1 2021: Domain Controllers will be placed in enforcement mode, which will require all Windows and non-Windows devices to use secure Remote Procedure Call (RPC) with Netlogon secure channel. Organizations can also explicitly allow a subset of Active Directory accounts to be used for any non-compliant devices.

Phase 1: August 11th, 2020 (This release)

The patches released by Microsoft today take the following actions to protect Windows Domain Controllers servers, and, workstations:

• Enforces secure RPC usage for machine accounts on Windows-based devices.
• Enforces secure RPC usage for trust accounts.
• Enforces secure RPC usage for all Windows and non-Windows DCs.
• Includes a new group policy to allow non-compliant device accounts
  • Even when DCs are running in enforcement mode or after the Enforcement phase starts, allowed devices will not be refused connection.

• Adds a FullSecureChannelProtection registry key to enable DC enforcement mode for all machine accounts
  • The Q1 2021 enforcement phase will update DCs to DC enforcement mode.

• Includes new windows log events when accounts are denied or would be denied in the DC enforcement mode.

Phase 2: February 9th, 2021 (Action Required)

Domain Controllers will now be in enforcement mode regardless of the enforcement mode registry key.  This requires all Windows and non-Windows devices to use secure RPC with Netlogon secure channel or explicitly allow the account by adding an exception for the non-compliant device.

This release:

• Enforces secure RPC usage for machine accounts on non-Windows based devices unless allowed by “Domain controller: Allow vulnerable Netlogon secure channel connections” group policy.

• Will remove logging of Event ID 5829 (logging created to identify non-compliance devices).

CFC Support & Detection

As part of today’s release, Microsoft has updated Active Directory Domain Controllers to log a new event. Event ID 5829 will be logged anytime a device within the environment uses a vulnerable Netlogon secure channel connection. The events will include details that can be used to identify non-compliant devices who will be denied access in the future.

The Cyber Fusion Center will work with clients who have SIEM based Threat Monitoring services to ensure logs for Event ID 5829 are being properly received. The Cyber Fusion Center will also periodically provide a list of non-compliant devices that are using a vulnerable Netlogon secure channel connection. This will enable clients to apply patches to affected systems or allow such a system to authenticate using insecure channels by explicitly allowing certain Active Directory accounts to bypass enforcement of secure RPC with Netlogon secure channel.

Sources

• https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472 
• https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc