In August 2020, Microsoft began patching a critical privilege escalation exploit in Windows Server (CVE-2020-1472). Codenamed Zerologon, it allows an attacker to become a domain admin, even without any credentials. The vulnerability received the maximum severity rating of 10.

Zerologon is launched from within the target network, such as using a compromised machine or malicious insider. It exploits a bug in the implementation of Windows Server’s Netlogon service. Netlogon’s authentication uses AES in AES-CFB8 mode. However, it fails to randomly initialise the initial vector. This allows a chosen-plaintext attack to take place, which can lead to an attacker:

  • impersonating any machine on the network when authenticating against the domain controller;
  • changing a machine’s password on the domain controller’s Active Directory;
  • disabling signing and encryption, and spoofing calls to the Netlogon service;
  • and taking control of the domain controller, escalating themselves to domain administrator.

Furthermore, when an attacker changes a machine’s password, it only changes in the Active Directory. The machine will then no longer be able to authenticate against Active Directory and fallback to using locally cached credentials until manually resynchronised. This can leave a machine vulnerable to cache manipulation, and thus additional risk from standing privileges.

We recommend patching CVE-2020-1472 on an emergency basis. A further patch is expected Q1 2021; please refer to Microsoft’s advisory.