The Exploit Window is Open: CVE-2020–1472 Gone Wild

Patch Now & Patch Often

CVE-2020–1472 is ranked Critical 10/10 CVSSv3. The August 2020 Patch Tuesday warned that the flaw is present in most supported versions of Windows Server, from Server 2008 through Server 2019.

It is highly recommended to install Microsoft’s August 2020 security patches on all Active Directory (AD) domain controllers (DC) immediately. An attacker with a TCP connection to an unpatched DC could gain domain admin privileges, change the password, and lock you completely out of your environment — and do this all in under 3 seconds.

There is also a python script available on github to test for vulnerability for CVE-2020–1472.

https://github.com/SecuraBV/CVE-2020-1472

‍

A Critical Threat

Microsoft may have released the first of two patches for vulnerability CVE-2020–1472 back in August, but it wasn’t until mid-September when the team at Secura, a Dutch security firm, published its whitepaper describing the vulnerability in greater depth that the global cybersecurity community took notice of the potential danger and catastrophic impact of vulnerability CVE-2020–1472, dubbed Zerologon.

Since the whitepaper released in mid-September, the global cybersecurity conversation has been teaming with proof-of-concept (POC) code for weaponized Zerlogon attacks. A complete patch from Microsoft is scheduled for February 2021 — should attackers find a work around for the August 2020 patch. From now until then, the exploitation window for Zerologon remains open.

By all POCs, reports, and analyses released, Zerologon lives up to its 10/10 CVSSv3 severity score — a feat only previously achieved by 6.2% of recorded CVEs. It’s as bad as they come.

By exploiting the CVE-2020–1472 vulnerability, an attacker with a TCP connection to an unpatched AD domain controller in your environment could bypass the privilege mechanism and gain domain admin privileges in only 3 seconds. But why stop there? From there, the attacker could change the domain password, thereby fully controlling the Windows AD domain controller and locking you out of your environment entirely. This is already a severely dangerous denial-of-service exploit; however, the attacker could go even further and install malware, such as ransomware, on all devices under the domain.

State-sponsored threat groups are highly likely to leverage the CVE-2020–1472 exploit in future attacks as well as attempt a work around for the August patch. The scope of the potential damage is difficult to estimate and must not be taken lightly.

As mentioned earlier, POC code for weaponized CVE-2020–1472 attacks have been appearing online for the last few weeks, and already cyber attacks including a weaponized CVE-2020–1472 have been observed in the wild. CyCraft AIR, our automated detection and response platform, recently observed the CVE-2020–1472 vulnerability appear in multiple unrelated automated attacks — only days apart from each other. One attack utilized a custom Mimikatz module — a tool commonly used by attackers to execute Credential Dumping and PowerShell attack scripts.

‍

‍

In this article, we will discuss the severity of this vulnerability, the official response of the United States, US-China relations (because who doesn’t love geopolitical dives), the technical analysis of the CVE-2020–1472 vulnerability, derivative attacks that exploit this vulnerability, and related defense strategies against CVE-2020–1472.

CyCraft AIR has been able to detect attacks that exploit this vulnerability and issue immediate alerts upon detection. If you have any concerns about your network security and are interested in automated detection and response security solutions, feel free to contact us: contact@cycraft.com

‍

Official U.S. Government Response to CVE-2020–1472

On Patch Tuesday, August 11, Microsoft released a patch for the vulnerability identified as CVE-2020–1472, where cve.mitre.org described the vulnerability as:

An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC), aka ‘Netlogon Elevation of Privilege Vulnerability’.

Exactly one month later, on September 11, Secura released their CVE-2020–1472 Whitepaper, giving the vulnerability its new name, Zerologon.

Seven days later on September 18, the United States DHS issued only the fourth emergency directive of 2020, Emergency Directive №20–04. It mandated that all government agencies were required to apply the Microsoft August 2020 Security Update to all Windows Servers with the domain controller role by 11:59 PM EDT, Monday, September 21. Completion reports were to be submitted to CISA by 11:59 PM EDT, Wednesday, September 23 to provide assurance and attest that all affected servers had received the applicable update.

The next day, on September 19, CISA tweeted explaining Emergency Directive 20–04.

‍

‍

The Cybersecurity and Infrastructure Security Agency (CISA), an operational component under DHS oversight, released this tweet on September 19, strongly recommending state and local government, the private sector, and the American public also apply the security update as soon as possible.

While CISA will review and validate agency compliance, deadlines have been set.

By October 1, CISA Director, Chris Krebs, will begin engaging with the CIOs and/or Senior Agency Officials for Risk Management (SAORM) of agencies that have failed to complete the required updates and actions.

By October 5, CISA is scheduled to provide a report to current Secretary of Homeland Security Chad Wolf and current Director of Office of Management and Budget (OMB) Russell Vought going over cross-agency status and any outstanding issues.

From the above-mentioned series of intensive emergency response measures, it should not be difficult to see that the CISA, and by extension the DHS, has shown a high degree of attention to the CVE-2020–1472 vulnerability.

‍

2020 US-China Relations

The potential impact of this vulnerability is huge. It is exacerbated by the proximity to the imminent U.S. presidential election on November 3. Most likely due to the allegations of Russian interference during the 2016 U.S. presidential election, government agencies have been hardening security and election infrastructure expecting even more foreign interference for the 2020 election.

The FBI and CISA even publicly announced on September 22 that foreign actors and cybercriminals are likely to spread disinformation regarding the 2020 election results.

Earlier this year on August 9, White House National Security Adviser Robert O’Brien stated that Chinese government-linked hackers had already begun targeting the 2020 U.S. presidential election infrastructure.

“They’d like to see the President lose … China — like Russia, like Iran — they’ve engaged in cyberattacks and phishing and that sort of thing with respect to our election infrastructure, with respect to websites and that sort of thing.”
White House National Security Advisor Robert O’Brien, Face the Nation (CBS)

Even though in early September, the U.S. Justice Department indicted Chinese nationals for a decade-long hacking spree targeting more than 100 high-tech and online gaming companies, China has consistently denied the U.S. government claims that the Chinese government hacks U.S. organizations, government personnel, or government agencies, tensions

“The U.S. presidential election is an internal affair, we have no interest in interfering in it.”China’s Foreign Ministry Spokesman Geng Shuang

US-China relations have grown more complicated in 2020 due to the global COVID-19 pandemic. 2020 saw a spike in malicious cyber activity regarding the spread of misinformation, vaccines, and the sudden surge of organizations shifting to a remote workforce.

In March alone, 40,000 domains containing keywords, such as “COVID” or “Corona” suddenly appeared. Our investigation showed 94% of them were malicious in nature.

In April 2020, it was revealed that a year-long cyber campaign targeted the Taiwan semiconductor industry. May 2020, Taiwan’s Formosa Petrochemical gas stations were targeted by malware attacks. In both instances, attribution was given to Chinese-government sponsored hacker groups.

Injecting a weaponized CVE-2020–1472 exploit into the current landscape is potentially dangerous.

The addition of the CVE-2020–1472 exploit window in Q4 2020 has the potential for significant impact due to the current geopolitical climate, the pandemic-influenced cybersecurity landscape, and the severe nature of the vulnerability itself.

‍

CVE-2020–1472 Technical Analysis

It is important to remember that in order for CVE-2020–1472 to be exploited by attackers, the attackers first need to set up a TCP connection with an AD domain controller in your environment.

With reference to Secura’s report [1], the figure below is a simplified flow chart of the Netlogon Remote Protocol (MS-NRPC) — a remote procedure call (RPC) interface on Windows domain controllers, most frequently used to authenticate users and computers on domain-based networks.

On the left is the attacker masking as the client (the internal endpoint joined to the domain controller). On the right is the target — the domain controller.

‍

‍

As you can see in the figure, we have broken down the Netlogon Remote Protocol and the corresponding Windows API (mainly on the attack side) step-by-step.

Normally, the client first sends a Client Challenge — a random 8-byte nonce — to the domain controller; then, the DC will generate its Server Challenge, which should be another random 8-byte nonce.

After the Challenge exchange between the two parties is completed, the Session Key for subsequent use between the two parties is generated with a shared secret — a hash of the client’s computer account password — through a key derivation function (KDF).

The client then uses this session key to compute a silent credential. If the server recomputes a matching credential value, it is concluded that the client knows the session key, and is therefore a legitimate user.

In the absence of vulnerabilities, since the attacker would not know the Session Key and could not successfully calculate the Client Credential, the server would not pass the authentication in the fourth step.

Therefore, if there were a way to calculate the Client Credential without needing to know the Session Key, the authentication call could be successfully bypassed.

Since the initial Client Challenge is controlled by the client, there’s nothing to stop an attacker to set the Client Challenge to 0000…0. This triggers the CVE-2020–1472 vulnerability. For every 1 in 256 session keys, when the Client Challenge consists of 8 zeros, the correct ClientCredential would also consist of 8 zeros.

Each time the attacker attempts to authenticate with 8 zeros, the server will generate a unique Server Challenge therefore generating a unique Session Key for each attempt. All the attacker has to do is keep generating unique Session Keys until they hit one that would pass authentication. 256 attempts should take a skilled attacker worth their salt approximately three seconds.

Using this attack method, any attacker with a TCP connection to the AD domain controller could log in as any computer, including backup domain controllers or even the targeted domain controller itself.

CVE-2020–1472 exists due to a weakness in AES-CFB8 encryption when the ComputerNetlogonCredential function defines an Initialisation Vector (IV) as 16 zero bytes. There is a high probability (1/256) that when AES-CFB8 encryption is applied to an all-zero plaintext (such as a 16-byte IV), an all-zero ciphertext is generated.

‍

AES-CFB8

AES-CFB8 is one solution when needing to encrypt fewer than the mandatory 128 bits needed for AES-CFB encryption without having to find an alternative method of padding the leftover bytes.

AES-CFB8 will prefix the plaintext with the IV. After AES performs an operation on the first 16 bytes of IV + plaintext, the first byte of the operation result is compared with the next round. Then, the first byte of the operator is XORed and updated.

The execution process of the simplified version is as follows:

IV = Randomized 16 bytes string
key = Predefined Key
Proc:
 input = IV + plaintext[:16]
 output = AES_op(input, key)
 input_2 = output[0]
 output_2 = XOR(plaintext, input_2)[0]
 plaintext = output_2 + plaintext[1:]
 repeat Proc
cypher = plaintext

The following figure takes the content introduced by Jarvis on modernnetsec [2] as an example. First, the first byte of the IV will be calculated by AES_op to calculate 64. Byte 64 is then XORed with the first byte of the plaintext, byte 74, to get the first byte, byte 10, of the ciphertext. At the same time, the newly generated ciphertext 10 will become the last byte of the IV and eventually rotate to become the first byte of the IV.

Then, the second Byte of the IV is also calculated by AES_op to calculate 73, and the second Byte 65 and 73 of the plaintext are calculated to calculate the second ciphertext 16. Similarly, this ciphertext will also be put into the new IV.

‍

‍

AES-CFB8 Vulnerability Causes and Utilization

The problem occurs in Netlogon AES-CFB8 when the IV in each calculation is set to 000…00 and not randomized. When the attacker sets the plaintext to 000…00, the first byte of the ciphertext generated by the first round of calculations is also 0, and the first byte of the input in the next round will also be 0. This chain effect eventually leads to the output of AES_op being 000…00, rendering encryption useless. At this point, the attacker can successfully use this vulnerability to verify their identity to the DC server in an average probability of 1/256.

IV = 000…00 (16 bytes)
plaintext = 000…00 (16 bytes)
key <= Predefined Key
Proc:
 input = IV + plaintext[:16]
 output = AES_op(input, key)
 input_2 = output[ 0] == 0
 output_2 = XOR(plaintext, input_2)[0] == 0
 plaintext = output_2 + plaintext[1:] == 000..00
 repeat Proc
cypher = plaintext == 000…00

The following figure also uses Jarvis’s example[2] to illustrate the following two important points:

1. Unsafe IV settings: Allowing IV to be set to 000…00
   ‍
2. Controllable plaintext: Allowing the client to set the Client Challenge to 000…00 also allows for chosen-plaintext attacks to successfully occur

‍

In the above figure, we can see that if the plaintext is set to 0, it could cause a chain reaction resulting in the ciphertext being 0. To achieve this situation, you need to try many times (at most 256 times) until you encounter a set of keys that are still 0 after encrypting 0. The attacker should be successful once after only 256 times — an incredibly high probability in encryption

‍

Mimikatz lsadump::Zerologon Hacking Tool Integration

Within 24 hours of the Secura Zerologon Whitepaper’s release, CVE-2020–1472 Mimikatz integrations began appearing online.

‍

‍

Cyberattacks incorporating the CVE-2020–1472 exploit were only a matter of time. Less than a month later, real-world attacks exploiting the Zerologon vulnerability had been observed.

On September 24, Microsoft stated in a series of tweets that they were “actively tracking threat actor activity using exploits for the CVE-2020–1472 Netlogon EoP vulnerability, dubbed Zerologon.”

‍

‍

As mentioned earlier, CyCraft AIR has already observed cyber attacks including a weaponized CVE-2020–1472 in the wild. CyCraft AIR, our automated detection and response platform, recently observed the CVE-2020–1472 vulnerability appear in multiple unrelated automated attacks — only days apart from each other. One attack utilized a custom Mimikatz module — a tool commonly used by attackers to execute Credential Dumping and PowerShell attack scripts.

The following figure shows the attack code for the customized Mimikatz code on GitHub that appeared only days after the Secura Whitepaper release.

Roughly 2,000 attempts were made. This far exceeds the 256 times needed to guarantee success; the attackers wanted in. In the loop, NetrServerReqChallenge is used to send the Client Challenge with Authenticator.Credential set to 0, and then NetrServerAuthenticate2 is used for authentication, with Authenticator.Credential also set to 0. If the authentication is successful, NetrServerPasswordSet2 is instantly called to alter the DC password.

‍

‍

Follow-up Research on Extension Attacks

In addition to the aforementioned attack methods, cybersecurity researchers from all over the world continue to conduct research on CVE-2020–1472 and have performed many extended red team tests. The following are some of our current concerns.

‍

Mimikatz Encrypts Network Traffic, Avoids Network Device Detection

After the vulnerability was revealed, Tal Be’ery of ZenGo tweeted his pcap filter, which can be detected at the network layer.

‍

‍

On September 18, Mimikatz was updated to enable pack encryption (RPC_C_AUTHN_LEVEL_PKT_PRIVACY ), which invalidated the detection method of pattern matching for network layer packets .

‍

‍

Even if your own AD is not on the external network, attackers could still be able to gain access to another internal network machine and attack the internal AD using a weaponized CVE-2020–1472 exploit.

This is yet another reason why security solutions are shifting to emphasize detection and response in addition to prevention. A recommended endpoint detection method is to use NetrServerAuthenticate2 and NetrServerAuthenticate3 to hook in order to detect and thwart such an attack.

‍

The following article is recommended:

Micropatch for Zerologon, the “perfect” Windows vulnerability (CVE-2020–1472) by Mitja Kolsek, the 0patch Team The Zerologon vulnerability allows an attacker with network access to a Windows Domain…blog.0patch.com

The initial research mentions the need to pay attention to NetrServerAuthenticate3 (Op 26), but in fact, Mimikatz and some public POCs make use of NetrServerAuthenticate2 (Op 15) as an API instead. However, according to the relevant narrative published by Tal Be’ery on Twitter, Microsoft August 2020 update patches both APIs. In addition, the more common network layer detection method checks if there is a repetitive Netlogon verification packet with the sensitive NegotiateFlags (0x212fffff).

‍

Exploits That Can Be Used Without Resetting the Password

Fox-IT researcher Dirk-jan also shared their research. Many network-layer defenses (such as the aforementioned Tal Be’ery rules) will detect that the password has been changed to 0. Therefore, Dirk-jan uses NTLM-Relay and MS printerbug to circumvent this restriction as it can successfully detect exploit use without needing to scan if the password had been altered to 0.

‍

Are there risks after patching?

Although the August 2020 Microsoft patch did not alter the initial value of the IV, the patch does check whether the first five bytes of the Client Challenge are sufficiently randomized, leaving the probability of triggering the vulnerability to roughly one in 40 billion, which should be sufficiently secure until the more complete patch is released in February 2021.

‍

Brief Description of the Exploit and How to Fix It

Microsoft’s NetLogon remote protocol is generally used to verify user accounts, computer accounts, etc. However, this time, NetLogon’s encryption verification algorithm contained a severe loophole, which could allow an attacker, with a TCP connection to the domain controller, to spoof an arbitrary identity to log in to the domain controller, gain admin access, and modify the Windows AD domain host password. The scope and potential impact of this exploit are serious and shouldn’t be taken lightly.

In this article, we discussed the cause of CVE-2020–1472, the analysis of the various available attack methods. The possible intrusion attack process of an attacker using this vulnerability can be roughly simplified as follows:

1. Gain TCP connection to the domain controller of the targeted environment.
2. Leverage CVE-2020–1472 vulnerability to spoof legit client and communicate with targeted domain controller.
3. Use the built-in password setting function in the Netlogon Protocol to change the computer account and password of the domain controller.
4. Use the modified computer account password to obtain the account password of the entire domain using attacks such as DCSYNC, and then control the entire domain.

In response to the CVE-2020–1472 vulnerability and associated attack methods, the current response and repair methods are to update the Windows Active Directory domain controller as soon as possible and enable the mandatory mode according to Microsoft’s official recommendations. For different Windows server versions, Microsoft has released KB4565349, KB4565351, KB4566782, KB4571694, KB4571702, KB4571703, KB4571719, KB4571723, KB4571729, KB4571736.

The modern cyber landscape is both mercurial and dangerous. While patching early and patching often help maintain defenses, routine organization-wide cyber health checks are also necessary to gain full visibility into an environment’s current cyber situation. Enterprises should also deploy an intelligent detection and response security solution that can effectively respond to known and unknown threats, especially as modern threats can emerge suddenly, such as CVE-2020–1472.

CyCraft AIR effectively detects attacks that exploit this vulnerability and immediately issue alerts.

If you have any concerns about your network security and are interested in automated detection and response security solutions or our AI SOC service, feel free to contact us: contact@cycraft.com

‍

References

1. “Zerologon: Unauthenticated domain controller compromise by subverting Netlogon cryptography (CVE-2020–1472)” by Tom Tervoort, Secura, September 2020
2. “Zerologon — hacking Windows servers with a bunch of zeros”, by Paul Ducklin.
3. “Micropatch for Zerologon, the perfect Windows vulnerability” (CVE-2020–1472)”
4. https://twitter.com/TalBeerySec/status/1306587772640083971
5. https://twitter.com/_dirkjan/ status/1307662409436475392
6. https://github.com/dirkjanm/krbrelayx/blob/master/printerbug.py‍