Overview

The Background of security vulnerability

On August 13, 2020, the H3C Offensive and Defense Laboratory monitored that Microsoft released a patch to fix the NetLogon privilege escalation vulnerability (CVE-2020-1472), the vulnerability level is severe. Recently, foreign security vendors have publicly released the verification script and detailed technical analysis of the NetLogon privilege escalation vulnerability. At the same time, the exploit tool of the vulnerability is also publicly available on github, which greatly increases the risk of the vulnerability being widely used. New H3C Attack and Defense Lab recommends that users install relevant security patches for the affected Windows Server operating system in time.

The details of vulnerability

The Netlogon remote protocol is an RPC interface available on Windows domain controllers. It is used to perform various tasks related to user and computer authentication, the most common is to let users log in to the server using the NTLM protocol. Other functions include authentication of NTP responses, especially allowing computers to update their passwords in the domain. When an unauthorized attacker can establish a NetLogon secure channel connected to a domain controller through the NetLogon remote protocol (MS-NRPC), there is a privilege escalation vulnerability. This vulnerability exploits a flaw in the encrypted authentication protocol that proves to the domain controller the authenticity and identity of the computer that joins the domain. Because the AES operation mode is incorrectly used during authentication, it is possible to spoof the identity of any computer account (including the identity of the domain controller itself) and set a blank password for the account in the domain. An attacker who successfully exploited this vulnerability could run a specially designed application program on a network device and gain administrator rights of the domain controller.

The reproduce of security vulnerability

Use the public vulnerability verification script to verify. The following means that the target machine has a NetLogon privilege escalation vulnerability, and there is a risk of being exploited.

The scope of influence

Affected version：

Windows Server 2008 R2 SP1

Windows Server 2012

Windows Server 2012 R2Windows Server 2016

Windows Server 2019

Windows Server 1903（Server Core installation）

Windows Server 1909（Server Core installation）

Windows Server 2004（Server Core installation）

Risk level: Severe risk

Solution

The official patch

At present, Microsoft has officially released an upgrade patch to fix the vulnerabilities. The patch obtain link：

https://portal.msrc.microsoft.com/zh-CN/security-guidance/advisory/CVE-2020-1472

The solution of H3C

The 1.0.106 version of the H3C IPS rule database will support the identification of this vulnerability. It is recommended to pay attention to the official website of H3C to update the signature database version in time and enable related rules.

H3C security emergency response external service

H3C advocates that every effort be made to safeguard the ultimate interests of product users, to abide by principles of responsible disclosure of security incidents, and to handle product security issues in accordance with security issues mechanisms. For information on H3C's security emergency response service and H3C product vulnerabilities, please visit https://www.h3c.com/en/Support/Online_Help/psirt/.