Zerologon: Elevation of Privilege CVE


On September 18, 2020, DHS issued an Emergency Directive requiring all federal agencies to address this flaw, also known as "Zerologon", within three days, calling it an “unacceptable risk to the Federal Civilian Executive Branch". This vulnerability is considered extremely dangerous, as it gives threat actors a foothold on an internal network to hijack Windows Servers running as domain controllers and effectively take over the entire network.

This vulnerability, CVE-2020-1472, is a publicly know elevation of privilege. It was included in Microsoft’s patch Tuesday in August, as “Exploitation Less Likely” for the software release. This information gives the impression that the associated risks were not as critical at the time of reporting to the security practitioners, analysts and researchers.

However, additional risks associated with the flaw were identified when four proof-of-concept exploits were made public via Github on September 11th, 2020. This discovery was reported last year by Tom Treevort, a Sr. Security Specialist at Secura, who highlighted the Netlogon vulnerability that allowed for man-in-the-middle (MITM) attacks on workstations in a 2019 article: Taking over Windows systems with a Netlogon man-in-the-middle attack (CVE-2019-1424).

Treevort also discovered the second and more critical, Zerologon flaw. In his recent blog, Treevort explained how the flaw can be exploited through establishing an authentication token for a specific Netlogon functionality. He performed a function to reset the password of the computer's domain controller to a known value. The previous action would then allow the attacker or threat actor to use the newly set password to take control of the domain controller and steal credentials of a domain administrator.

Researchers published a testing script for security teams to determine if their environments are vulnerable to the flaw: Github CVE-2020-1472. The Python script uses the Impacket library to test vulnerability for the Zerologon exploit. The in-depth report was more than enough to allow hackers to create weaponized exploits that went public hours after the Secura report was published.

The CRY3CON PR1ORITY platform updated the CyRating of CVE-2020-1472 (now at 38.46) as additional intelligence on the vulnerability was made public. PR1ORITY has collected over 174 posts from hacker discussions, in English, Russian, and Mandarin Chinese, from the dark web, social media, and open source cybersecurity sources.

PR1ORITY Change Log Graph

Make sure your teams are remediating the right vulnerabilities. Take advantage of our Predictive Threat Assessment today.