The information below was sent to U-M IT groups on September 21, 2020. It is intended for U-M IT staff who are responsible for Windows Servers with the domain controller role.
Exploit code for a critical Microsoft Netlogon Remote Protocol (MS-RPC) vulnerability is now publicly available according to the Cybersecurity and Infrastructure Security Agency (CISA). CISA has issued an emergency directive for the vulnerability, underscoring the urgency of addressing it as soon as possible. Microsoft addresses the vulnerability in its August 2020 Security Update. If you have not yet applied the August 2020 Security Update to machines running Windows Server with the domain controller role, do so as soon as possible after appropriate testing. If affected domain controllers cannot be updated, remove them from the network until the update can be applied.
According to Forbes, "CVE-2020-1472 is about as serious as it gets, hence the maximum 10 Common Vulnerability Scoring System (CVSS) rating and the critical severity that Microsoft has attached to it. The vulnerability itself opens the doors for an attacker already inside the network to access the Windows Server Active Directory domain controller."
All versions of Windows Server with the domain controller role. This includes read-only domain controllers.
- Apply the August 2020 Security Update to Windows Server with the domain controller role as soon as possible after appropriate testing. The need for immediate action supersedes the remediation timeframes in Vulnerability Management (DS-21).
- If affected domain controllers cannot be updated, remove them from the network.
The August update is the first in a two-phase mitigation of the vulnerability. Microsoft expects to release a further update in February 2021 that will require "all Windows and non-Windows devices to use secure RPC with Netlogon secure channel or explicitly allow the account by adding an exception for the non-compliant device."
Exploit code is publicly available. This increases the likelihood of the vulnerability being exploited on any unpatched version of Windows Server with the domain controller role.
The updates address the vulnerability by modifying how Netlogon handles the use of Netlogon secure channels. To provide Active Directory forest protection, all domain controllers must be updated so that they will enforce secure RPC with a Netlogon secure channel. This includes read-only domain controllers.
How We Protect U-M
- ITS Information Assurance (IA) monitors a number of sources for information about new vulnerabilities and threats and provides up-to-date information to the university community.
- IA performs regular vulnerability scans of university networks to identify vulnerable devices and request remediation.
- IA provides vulnerability management guidance to the university.
- ITS updates MiWorkspace and MiServer managed machines as soon as possible after appropriate testing.
Information for Users
This vulnerability affects servers, not personal computers. Most users do not need to do anything.
- Windows Server: Patch this critical flaw now says Homeland Security in emergency warning (Tech Republic, 9/21/20)
- US govt orders federal agencies to patch dangerous Zerologon bug by Monday (ZDNet, 9/20/20)
- Windows Server Update Gets Serious: You Have The Weekend To Comply, Homeland Security Says (Forbes, 9/19/20)
- CISA Releases Emergency Directive on Microsoft Windows Netlogon Remote Protocol (Department of Homeland Security, 9/18/20)
- Emergency Directive: Mitigate Netlogon Elevation of Privilege Vulnerability from August 2020 Patch Tuesday (Department of Homeland Security, 9/18/20)
- What the Zerologon vulnerability means for the state of enterprise security (Security Magazine, 9/17/20)
- Exploit for Netlogon Remote Protocol Vulnerability, CVE-2020-1472 (Department of Homeland Security, 9/14/20)
- How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472 (Microsoft, 8/12/20)
- CVE-2020-1472 | Netlogon Elevation of Privilege Vulnerability (Microsoft, 8/11/20)
- How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472 (Microsoft)