Are your Domain Controllers Protected from CVE-2020-1472 Zerologon Attacks?

What You Need to Know About Netlogon and Zerologon

On September 11th, 2020, researchers at Secura published information on a critical vulnerability in Microsoft’s Netlogon authentication process which they dubbed “Zerologon." It is a cryptographic flaw that has a clear path to full takeover of an Active Directory domain.

The vulnerability allows an attacker to reset the machine account password of a target domain controller to a blank value. With the domain controller machine password set to blank, it's one step for an attacker to harvest credential material needed to assume the identity of a Domain Administrator-level account.

Zerologon (CVE-2020-1472) is a severe vulnerability, it has the CVSS maximum score of 10.0.

What Can be Done About Zerologon?

Microsoft partially patched this issue in August 2020 but many organizations have yet to take action to be protected from this flaw. If you have not yet applied the August security updates for CVE-2020-1472, patching should be immediately planned and implemented. Additional security enforcement will be released as a second security update in Q1 2021.

How to Identify Affected Systems

Core Security customers can assess their risk automatically using our comprehensive penetration testing solution, Core Impact. The Rapid Penetration Tests (RPTs) can be used to scan and assess a network using the included Microsoft Windows Netlogon CVE-2020-1472 Vulnerability Checker, quickly identifying which systems are most vulnerable and help you to focus your remediation efforts where they matter most.