Privilege Escalation vulnerability in Microsoft Windows Netlogon Remote Protocol

Advisory No: TZCERT/SA/2020/09/23

Date of First Release: 23^rd September 2020

Source: Microsoft

Software Affected: 

• Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
• Windows Server 2012 (Server Core installation)
• Windows Server 2012 R2 (Server Core installation)
• Windows Server 2016 (Server Core installation)
• Windows Server 2019 (Server Core installation)
• Windows Server, version 1903 (Server Core installation)
• Windows Server, version 1909 (Server Core installation)
• Windows Server, version 2004 (Server Core installation)

Overview:

A vulnerability has been reported in Microsoft Windows Netlogon Remote Protocol, which could be exploited by an attacker to gain elevated privileges on the target system.

Description:

Microsoft Windows Netlogon Remote Protocol (MS-NRPC) is a core authentication component of Active Directory that provides authentication for user and computer accounts. By sending several Netlogon messages in which various fields are filled with zeroes, an unauthenticated attacker could change the computer password of the Domain Controller (DC) that is stored in the Active Directory (AD).

Such a process can then be used to obtain domain administrator privileges.

Impact:

Successful exploitation of this vulnerability could allow the attacker to obtain domain administrator privileges, and cause a denial of service attack.

Solution:

Microsoft has not yet identified any mitigation factors or workarounds for this vulnerability; however, users of the affected systems are advised to install the following latest security updates from Microsoft.

• https://www.catalog.update.microsoft.com/Search.aspx?q=KB4570333

References:

1. https://www.secura.com/pathtoimg.php?id=2055 
2. https://cyber.dhs.gov/ed/20-04/
3. https://www.catalog.update.microsoft.com/Search.aspx?q=KB4570333