Microsoft reported that attackers are exploiting a particularly dangerous flaw in Windows Server systems that could be used to give attackers the access to a vulnerable corporate network.
This vulnerability directly affects domain controllers (DC) in active directories (AD). Due to a bug in the incorrect implementation of AES-CFB8 in the Netlogon protocol, an attacker could set a new password without further requirements, all in order to take complete control of the DC and gain the administrator user credentials. The failure is located in the initial authentication handshake, since authentication is generally bypassed, therefore, an attacker only has to establish a TCP connection with a vulnerable domain controller, simply by being within the local network it would be enough to exploit this flaw, since it does not require any type of domain credential.
ZeroLogon Severe Vulnerability (CVE-2020-1472) already has PoC (Proof of Concept) and public exploit working and is very dangerous. The bug was fixed in Microsoft’s security updates for August 2020. However, this week at least four public PoC exploits were released for the bug on Github. Even the popular mimikatz tool has added support to exploit the vulnerability more quickly via RPC.
It is an exploitable vulnerability only with having visibility in the DC network, with low technical complexity, without requiring privileges and without requiring the interaction of a legitimate user. The vulnerability is discovered in all versions of Windows:
Due to this bug in the AES implementation, you can get full control of the DC, and set an empty password on the domain. Due to the lack of authentication when exploiting this security flaw, this vulnerability has been called “Zerologon”.
PoC ZeroLogon CVE-2020-1472 Public Exploits
Exploit for Netlogon Remote Protocol Vulnerability, CVE-2020-1472