Cisco Talos is tracking a spike in exploitation attempts against the Microsoft vulnerability CVE-2020-1472, an elevation of privilege bug in Netlogon, outlined in the August Microsoft Patch Tuesday report. The vulnerability stems from a flaw in a cryptographic authentication scheme used by the Netlogon Remote Protocol which — among other things — can be used to update computer passwords by forging an authentication token for specific Netlogon functionality. This flaw allows attackers to impersonate any computer, including the domain controller itself and gain access to domain admin credentials.

Typical Netlogon communication :

  • Client sends a client challenge which includes an eight-byte challenge.
  • Server responds with a server challenge including its eight-byte challenge.
  • Client and server compute a shared session key
  • Client encrypts the shared session key producing a client credential
  • Server encrypts the shared session key producing a server credential

The cryptographic primitive used for the client and server to generate credential values is implemented in the function `ComputeNetlogonCredential`, which takes the eight-byte challenge input and performs a transformation with the secret session key which produces an equal length output. This mode encrypts each byte of the plaintext by

  • Prepending a 16-byte IV to the plaintext and applying AES to the first 16 bytes
  • Taking the first byte of the AES output and XORing it with the next plaintext byte and repeating until all bytes of the plaintext have been encrypted.
  • Throw away IV

The IV is not randomly generated but fixed and will always consist of 16 null bytes. Thus a crafted plaintext of all nulls has a one in 256 chance of returning an all-null ciphertext. This can be exploited by sending a crafted server request with an eight null-byte challenge, using this challenge in a NetrServerAuthenticate3 (or NetrServerAuthenticate2) call to compute the client credential. The session keys are produced in NetrServerAuthenticate3 and the dcerpc call will contain a ClientCredential. This ClientCredential is computed by applying the ComputeNetlogonCredential to the client challenge sent in the NetrServerReqChallenge. This challenge, chosen by the attacker, is eight null-bytes, for 1/256 session keys, the correct ClientCredential will also consist of eight zeros.

Microsoft is currently handling the mitigation of this vulnerability in a phased, two-part rollout. Microsoft outlined its plan in an advisory, saying, “For guidelines on how to manage the changes required for this vulnerability and more information on the phased rollout, see How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472. When the second phase of Windows updates become available in Q1 2021, customers will be notified via a revision to this security vulnerability. If you wish to be notified when these updates are released, we recommend that you register for the security notifications mailer to be alerted of content changes to this advisory.”

To protect against this vulnerability, Microsoft recommends blocking non-signed or sealed connections entirely. SNORTⓇ users can use SID 55802 in alert mode to test that this is working properly. This rule specifically looks for those bad flags, so users can identify any systems in need of attention before Microsoft’s second phase of this patch goes live in January.

Coverage
Ways our customers can detect and block this threat are listed below.


Advanced Malware Protection (AMP) is suited to prevent the execution of the malware detailed in this post. Try AMP for free here.

Cisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious websites and detects malware used in these attacks.

Network Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention System (NGIPS), and Meraki MX can detect malicious activity associated with this threat.

Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.

Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network.

Stealthwatch Cloud has a rule in for this activity labeled 'Talos Suspicious Activity' with the description "CVE-2020-1472 Zerologon authentication bypass attempt".

Additional protections with context to your specific environment and threat data are available from the Firepower Management Center.

Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.