⚠ Actively exploited in ransomware campaigns
This vulnerability is on the CISA Known Exploited Vulnerabilities list and has been used in known ransomware attacks. CISA required action: Apply updates per vendor instructions.. Due date: 2022-05-03.

CVE-2020-1472Zerologon: Improper Privilege Management in Microsoft Windows Netlogon

CWE-269Improper Privilege ManagementCWE-330Use of Insufficiently Random ValuesCWE-287Improper Authentication63 documents26 sources
Severity
10.0CRITICALNVD
CNA5.5VulnCheck5.5
EPSS
94.4%
top 0.03%
CISA KEV
KEVRansomware
Added 2021-11-03
Due 2022-05-03
Exploit
Exploited in wild
Active exploitation observed
Affected products
15
SambaMicrosoft Windows Server 2008 R2 Service Pack 1Microsoft Windows Server 2012+12 more
Timeline
PublishedAug 17
KEV addedNov 3
KEV dueMay 3
Latest updateAug 9
CISA Required Action: Apply updates per vendor instructions.

Description

An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network. To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access. Microsoft is ad

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HExploitability: 3.9 | Impact: 6.0

Affected Packages14 packages

CVEListV5microsoft/windows_server_20126.2.0publication
CVEListV5microsoft/windows_server_201610.0.0publication
CVEListV5microsoft/windows_server_201910.0.0publication
CVEListV5microsoft/windows_server_2012_r26.3.0publication
CVEListV5microsoft/windows_server_version_200410.0.0publication

Also affects: Debian Linux 9.0, Fedora 31, 32, 33, Ubuntu Linux 14.04, 16.04, 18.04, 20.04

Patches

Patch: portal.msrc.microsoft.comPatch: www.oracle.comPatch: portal.msrc.microsoft.com

🔴Vulnerability Details

5
GHSA
GHSA-gc5h-xf3g-h5x4: An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, us2022-05-24
CVEList
Netlogon Elevation of Privilege Vulnerability2020-08-17
OSV
CVE-2020-1472: An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, us2020-08-17
OSV
CVE-2020-1472: An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, us2020-08-17
VulnCheck
Microsoft Netlogon Privilege Escalation Vulnerability2020

💥Exploits & PoCs

1
Exploit-DB
ZeroLogon - Netlogon Elevation of Privilege2020-11-18

🔍Detection Rules

11
Suricata
ET EXPLOIT Zerologon Phase 2/3 - NetrServerAuthenticate3 Request with 0x00 Client Challenge and Sign and Seal Disabled (CVE-2020-1472) M22022-02-22
Suricata
ET EXPLOIT Zerologon Phase 2/3 - NetrServerAuthenticate3 Request with 0x00 Client Challenge and Sign and Seal Disabled (CVE-2020-1472) M12022-02-22
Suricata
ET EXPLOIT Zerologon Phase 3/3 - NetrLogonSamLogonWithFlags Request with 0x00 Client Credentials (CVE-2020-1472)2022-02-22
Suricata
ET EXPLOIT Zerologon Phase 2/3 - NetrServerAuthenticate2 Request with 0x00 Client Challenge and Sign and Seal Disabled (CVE-2020-1472) M22022-02-22
Suricata
ET EXPLOIT Zerologon Phase 2/3 - NetrServerAuthenticate2 Request with 0x00 Client Challenge and Sign and Seal Disabled (CVE-2020-1472) M12022-02-22

📋Vendor Advisories

8
CISA
Microsoft Netlogon Privilege Escalation Vulnerability2021-11-03
Oracle
Oracle Oracle Systems Risk Matrix: Operating System Image — CVE-2020-14722021-04-15
Ubuntu
Samba update2020-09-30
Ubuntu
Samba vulnerability2020-09-17
Ubuntu
Samba vulnerability2020-09-17

🕵️Threat Intelligence

24
Unit42
Ransomware Review: First Half of 20242024-08-09
Qualys
Unpacking the CVEs in the FireEye Breach – Start Here First2021-02-01
Qualys
Unpacking the CVEs in the FireEye Breach - Start Here First | Qualys2021-02-01
Trendmicro
„Zerologon” und die Bedeutung von Virtual Patching2020-10-06
Sentinelone
Zerologon (CVE-2020-1472): SentinelOne First to Detect on the Endpoint2020-09-30

💬Community

3
Bugzilla
CVE-2020-1472 samba: Netlogon Elevation of Privilege Vulnerability (Zerologon) [fedora-all]2020-09-21
Bugzilla
CVE-2020-1472 samba: Netlogon Elevation of Privilege Vulnerability (Zerologon) [fedora-all]2020-09-19
Bugzilla
CVE-2020-1472 samba: Netlogon elevation of privilege vulnerability (Zerologon)2020-09-17
CVE-2020-1472 — Zerologon | cvebase