search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Microsoft Windows Netlogon Remote Protocol (MS-NRPC) uses insecure AES-CFB8 initialization vector

Vulnerability Note VU#490028

Original Release Date: 2020-09-16 | Last Revised: 2021-03-19

Overview

The Microsoft Windows Netlogon Remote Protocol (MS-NRPC) reuses a known, static, zero-value initialization vector (IV) in AES-CFB8 mode. This allows an unauthenticated attacker to impersonate a domain-joined computer, including a domain controller, and potentially obtain domain administrator privileges.

Description

The Microsoft Windows Netlogon Remote Protocol (MS-NRPC) is a core authentication component of Active Directory that provides authentication for user and computer accounts. MS-NRPC uses an initialization vector (IV) of 0 (zero) in AES-CFB8 mode when authenticating computer accounts.

Zerologon: Unauthenticated domain controller compromise by subverting Netlogon cryptography (CVE-2020-1472) describes how this cryptographic failure allows a trivial statistical attack on the MS-NRPC authentication handshake:

The ComputeNetlogonCredential function, however, defines that this IV is fixed and should always consist of 16 zero bytes. This violates the requirements for using AES-CFB8 securely: its security properties only hold when IVs are random.

...

When encrypting a message consisting only of zeroes, with an all-zero IV, there is a 1 in 256 chance that the output will only contain zeroes as well.

By choosing a client challenge and ClientCredential of all zeros, an attacker has a 1 in 256 chance of successfully authenticating as any domain-joined computer. By impersonating a domain controller, an attacker can take additional steps to change a computer's Active Directory password (Exploit step 4: changing a computer’s AD password) and potentially gain domain administrator privileges (Exploit step 5: from password change to domain admin).

Because Samba has implemented the MS-NRPC protocol as it has been designed by Microsoft, Samba domain controllers are also affected by this vulnerability.

Impact

An unauthenticated attacker with network access to a domain controller can impersonate any domain-joined computer, including a domain controller. Among other actions, the attacker can set an empty password for the domain controller's Active Directory computer account, causing a denial of service, and potentially allowing the attacker to gain domain administrator privileges.

The compromise of Active Directory infrastructure is likely a significant and costly impact.

Solution

Apply an update

On August 11, 2020, Microsoft issued an advisory that provides updates for this vulnerability.

Enable secure RPC enforcement mode

The August 2020 updates for CVE-2020-1472 include changes to domain controllers that can optionally be enabled to require secure RPC for Netlogon secure channel connections. The changes to require secure RPC must be made to receive the most complete protection from this vulnerability. For systems that have the August 2020 update for CVE-2020-1472, enabling secure RPC enforcement mode will change domain controller behavior to require Netlogon secure channel connections using secure MS-NRPC. This change to enable enforcement mode will be deployed automatically on or after February 9, 2021.

Acknowledgements

Microsoft acknowledges Tom Tervoort of Secura for reporting this vulnerability.

This document was written by Eric Hatleback, Art Manion, and Will Dormann.

Vendor Information

490028
 

Alpine Linux Affected

Notified:  2020-09-17 Updated: 2020-09-17

CVE-2020-1472 Affected

Vendor Statement

We have not received a statement from the vendor.

Arch Linux Affected

Notified:  2020-09-17 Updated: 2020-09-17

CVE-2020-1472 Affected

Vendor Statement

We have not received a statement from the vendor.

CentOS Affected

Updated: 2020-09-17

CVE-2020-1472 Affected

Vendor Statement

We have not received a statement from the vendor.

Debian GNU/Linux Affected

Notified:  2020-09-17 Updated: 2020-09-17

CVE-2020-1472 Affected

Vendor Statement

We have not received a statement from the vendor.

Fedora Project Affected

Notified:  2020-09-17 Updated: 2020-09-17

CVE-2020-1472 Affected

Vendor Statement

We have not received a statement from the vendor.

Geexbox Affected

Notified:  2020-09-17 Updated: 2020-09-17

CVE-2020-1472 Affected

Vendor Statement

We have not received a statement from the vendor.

Gentoo Linux Affected

Notified:  2020-09-17 Updated: 2020-09-17

CVE-2020-1472 Affected

Vendor Statement

We have not received a statement from the vendor.

Google Affected

Notified:  2020-09-17 Updated: 2020-10-01

Statement Date:   September 29, 2020

CVE-2020-1472 Affected

Vendor Statement

We have not received a statement from the vendor.

HardenedBSD Affected

Notified:  2020-09-17 Updated: 2020-09-21

Statement Date:   September 18, 2020

CVE-2020-1472 Affected
Vendor Statement:
HardenedBSD is not affected.

Vendor Statement

HardenedBSD provides Samba as a third-party package, not installed by default.

Micro Focus Affected

Notified:  2020-09-17 Updated: 2020-09-17

CVE-2020-1472 Affected

Vendor Statement

We have not received a statement from the vendor.

Microsoft Affected

Notified:  2020-09-16 Updated: 2020-09-16

CVE-2020-1472 Affected

Vendor Statement

We have not received a statement from the vendor.

References

NetBSD Affected

Notified:  2020-09-17 Updated: 2020-10-01

Statement Date:   September 28, 2020

CVE-2020-1472 Affected

Vendor Statement

We have not received a statement from the vendor.

Red Hat Affected

Notified:  2020-09-17 Updated: 2020-09-17

CVE-2020-1472 Affected

Vendor Statement

We have not received a statement from the vendor.

SUSE Linux Affected

Notified:  2020-09-17 Updated: 2020-09-17

CVE-2020-1472 Affected

Vendor Statement

We have not received a statement from the vendor.

Samba Affected

Notified:  2020-09-15 Updated: 2020-09-21

Statement Date:   September 16, 2020

CVE-2020-1472 Affected

Vendor Statement

Samba domain controllers (AD and NT4-like) can be impacted by the ZeroLogon CVE-2020-1472 vulnerability, but supported versions are not impacted in the default configuration.

Samba, like Microsoft, suggest that "server schannel = yes" must be set for secure operation. This is Samba's equivalent to Microsoft's FullSecureChannelProtection=1 registry key.

The key difference between Samba and Microsoft Windows is that it's already enabled by default in all Samba major versions released since March 2018 (Samba 4.8 and later).

There seem to be some legacy software, which still requires "server schannel = auto". Samba will soon add additional hardening that will allow administrators to use "server schannel = yes" globally and define exceptions only for specified computer accounts.

Samba's progress can be monitored via this bug: https://bugzilla.samba.org/show_bug.cgi?id=14497

References

CERT Addendum

Samba requires secure Netlogon connections by default since version 4.8. Versions of Samba prior to 4.8 are vulnerable by default. Samba versions 4.8 and later are vulnerable if they are configured to override the server schannel default value to "auto" or "no".

Slackware Linux Inc. Affected

Notified:  2020-09-17 Updated: 2020-09-17

CVE-2020-1472 Affected

Vendor Statement

We have not received a statement from the vendor.

Synology Affected

Notified:  2020-09-17 Updated: 2020-09-18

Statement Date:   September 17, 2020

CVE-2020-1472 Affected

Vendor Statement

Synology confirms the Synology Directory Server is affected and has published a security advisory Synology-SA-20:21 to respond to CVE-2020-1472.

References

Turbolinux Affected

Notified:  2020-09-17 Updated: 2020-09-17

CVE-2020-1472 Affected

Vendor Statement

We have not received a statement from the vendor.

Ubuntu Affected

Notified:  2020-09-17 Updated: 2020-09-17

CVE-2020-1472 Affected

Vendor Statement

We have not received a statement from the vendor.

Univention Affected

Updated: 2020-09-17

CVE-2020-1472 Affected

Vendor Statement

We have not received a statement from the vendor.

References

Blackberry QNX Not Affected

Notified:  2020-09-17 Updated: 2020-09-21

Statement Date:   September 21, 2020

CVE-2020-1472 Not Affected

Vendor Statement

We have not received a statement from the vendor.

F5 Networks Inc. Not Affected

Notified:  2020-09-17 Updated: 2020-09-28

Statement Date:   September 25, 2020

CVE-2020-1472 Not Affected

Vendor Statement

We have not received a statement from the vendor.

FreeBSD Project Not Affected

Notified:  2020-09-18 Updated: 2020-09-21

Statement Date:   September 19, 2020

CVE-2020-1472 Not Affected

Vendor Statement

FreeBSD does not include support for MS-NRPC in the base system. Users who install third-party software (e.g. Samba) from ports or packages may be affected.

Illumos Not Affected

Notified:  2020-09-17 Updated: 2021-03-19

Statement Date:   March 18, 2021

CVE-2020-1472 Not Affected

Vendor Statement

Only AD domain controller implementations are potentially at risk, as detailed in the linked paper. (DC server “NetLogon” functions are the attack surface for this vulnerability.) We do not implement a domain controller, therefore we are NOT VULNERABLE.

We are AFFECTED, because our AD clients will need adjustment to a world that fixes this vulnerability, however. See https://www.illumos.org/issues/13169 It is now fixed in illumos upstream.

Joyent Not Affected

Notified:  2020-09-17 Updated: 2021-03-19

Statement Date:   March 18, 2021

CVE-2020-1472 Not Affected
Vendor Statement:
Only AD domain controller implementations are potentially at risk, as detailed in the linked paper. (DC server “NetLogon” functions are the attack surface for this vulnerability.) We do not implement a domain controller, therefore we are not vulnerable.

Vendor Statement

Only AD domain controller implementations are potentially at risk, as detailed in the linked paper. (DC server “NetLogon” functions are the attack surface for this vulnerability.) We do not implement a domain controller, therefore we are NOT VULNERABLE to the attack.

We are AFFECTED insofar as illumos SMB/CIFS clients will need to be adjusted to interoperate with DCs that address this vulnerability.

https://www.illumos.org/issues/13169

This illumos issue has been fixed in upstream illumos.

Amazon Unknown

Notified:  2020-09-17 Updated: 2020-09-17

CVE-2020-1472 Unknown

Vendor Statement

We have not received a statement from the vendor.

Apple Unknown

Notified:  2020-09-17 Updated: 2020-09-17

CVE-2020-1472 Unknown

Vendor Statement

We have not received a statement from the vendor.

Arista Networks Inc. Unknown

Notified:  2020-09-17 Updated: 2020-09-17

CVE-2020-1472 Unknown

Vendor Statement

We have not received a statement from the vendor.

Aspera Inc. Unknown

Notified:  2020-09-17 Updated: 2020-09-17

CVE-2020-1472 Unknown

Vendor Statement

We have not received a statement from the vendor.

Dell EMC Unknown

Notified:  2020-09-17 Updated: 2020-09-17

CVE-2020-1472 Unknown

Vendor Statement

We have not received a statement from the vendor.

DesktopBSD Unknown

Notified:  2020-09-17 Updated: 2020-09-17

CVE-2020-1472 Unknown

Vendor Statement

We have not received a statement from the vendor.

DragonFly BSD Project Unknown

Notified:  2020-09-17 Updated: 2020-09-17

CVE-2020-1472 Unknown

Vendor Statement

We have not received a statement from the vendor.

HP Inc. Unknown

Notified:  2020-09-17 Updated: 2020-09-17

CVE-2020-1472 Unknown

Vendor Statement

We have not received a statement from the vendor.

Hewlett Packard Enterprise Unknown

Notified:  2020-09-17 Updated: 2020-09-17

CVE-2020-1472 Unknown

Vendor Statement

We have not received a statement from the vendor.

Hitachi Unknown

Notified:  2020-09-17 Updated: 2020-09-17

CVE-2020-1472 Unknown

Vendor Statement

We have not received a statement from the vendor.

IBM Numa-Q Division (Formerly Sequent) Unknown

Notified:  2020-09-17 Updated: 2020-09-17

CVE-2020-1472 Unknown

Vendor Statement

We have not received a statement from the vendor.

Juniper Networks Unknown

Notified:  2020-09-17 Updated: 2020-09-17

CVE-2020-1472 Unknown

Vendor Statement

We have not received a statement from the vendor.

Lenovo Unknown

Notified:  2020-09-17 Updated: 2020-09-17

CVE-2020-1472 Unknown

Vendor Statement

We have not received a statement from the vendor.

Marconi Inc. Unknown

Notified:  2020-09-17 Updated: 2020-09-17

CVE-2020-1472 Unknown

Vendor Statement

We have not received a statement from the vendor.

NEC Corporation Unknown

Notified:  2020-09-17 Updated: 2020-09-17

CVE-2020-1472 Unknown

Vendor Statement

We have not received a statement from the vendor.

Nexenta Unknown

Notified:  2020-09-17 Updated: 2020-09-17

CVE-2020-1472 Unknown

Vendor Statement

We have not received a statement from the vendor.

Nokia Unknown

Notified:  2020-09-17 Updated: 2020-09-17

CVE-2020-1472 Unknown

Vendor Statement

We have not received a statement from the vendor.

OpenBSD Unknown

Notified:  2020-09-17 Updated: 2020-09-17

CVE-2020-1472 Unknown

Vendor Statement

We have not received a statement from the vendor.

OpenIndiana Unknown

Notified:  2020-09-17 Updated: 2020-09-17

CVE-2020-1472 Unknown

Vendor Statement

We have not received a statement from the vendor.

Openwall GNU/*/Linux Unknown

Notified:  2020-09-17 Updated: 2020-09-17

CVE-2020-1472 Unknown

Vendor Statement

We have not received a statement from the vendor.

Oracle Corporation Unknown

Notified:  2020-09-17 Updated: 2020-09-17

CVE-2020-1472 Unknown

Vendor Statement

We have not received a statement from the vendor.

Sony Unknown

Notified:  2020-09-17 Updated: 2020-09-17

CVE-2020-1472 Unknown

Vendor Statement

We have not received a statement from the vendor.

The OpenBSD project Unknown

Notified:  2020-09-17 Updated: 2020-09-17

CVE-2020-1472 Unknown

Vendor Statement

We have not received a statement from the vendor.

Tizen Unknown

Notified:  2020-09-17 Updated: 2020-09-17

CVE-2020-1472 Unknown

Vendor Statement

We have not received a statement from the vendor.

TrueOS Unknown

Notified:  2020-09-17 Updated: 2020-09-17

CVE-2020-1472 Unknown

Vendor Statement

We have not received a statement from the vendor.

Unisys Corporation Unknown

Notified:  2020-09-17 Updated: 2020-09-17

CVE-2020-1472 Unknown

Vendor Statement

We have not received a statement from the vendor.

m0n0wall Unknown

Notified:  2020-09-17 Updated: 2020-09-17

CVE-2020-1472 Unknown

Vendor Statement

We have not received a statement from the vendor.

View all 52 vendors View less vendors


Other Information

CVE IDs: CVE-2020-1472
Date Public: 2020-09-16
Date First Published: 2020-09-16
Date Last Updated: 2021-03-19 14:30 UTC
Document Revision: 18

Sponsored by CISA.