CVE-2020-1472

Description from NVD

An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC), aka 'Netlogon Elevation of Privilege Vulnerability'.

Information Acquisition Date:2022-01-15T11:37Z

CVSS 2.0: 9.3 HIGH CVSS 3.x: 10.0 CRITICAL

▼ CVSS3 Vec CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector (AV)	Network	Adjacent	Local	Physical
Attack Complexity (AC)	LOW	High
Privileges Required (PR)	None	Low	High
User Interaction (UI)	None	Required
Scope (S)	Unchanged	Changed
Confidentiality (C)	None	Low	High
Integrity (I)	None	Low	High
Availability (A)	None	Low	High

▼ CVSS2 Vec AV:N/AC:M/Au:N/C:C/I:C/A:C

Attack Vector (AV)	Network	Adjacent	Local
Access Complexity (AC)	Low	Medium	High
Authentication (Au)	None	Single	Multiple
Confidentiality (C)	None	Partial	Complete
Integrity (I)	None	Partial	Complete
Availability (A)	None	Partial	Complete

NVD References

N/A
source:N/A
tags:Patch Vendor Advisory

http://packetstormsecurity.com/files/159190/Zerologon-Proof-Of-Concept.html
source:MISC
tags:Third Party Advisory VDB Entry

VU#490028
source:CERT-VN
tags:Third Party Advisory US Government Resource

[oss-security] 20200917 Samba and CVE-2020-1472 ("Zerologon")
source:MLIST
tags:Mailing List Third Party Advisory

USN-4510-1
source:UBUNTU
tags:Third Party Advisory

https://www.synology.com/security/advisory/Synology_SA_20_21
source:CONFIRM
tags:Third Party Advisory

USN-4510-2
source:UBUNTU
tags:Third Party Advisory

FEDORA-2020-0be2776ed3
source:FEDORA
tags:Third Party Advisory

openSUSE-SU-2020:1513
source:SUSE
tags:Mailing List Third Party Advisory

openSUSE-SU-2020:1526
source:SUSE
tags:Mailing List Third Party Advisory

FEDORA-2020-77c15664b0
source:FEDORA
tags:Third Party Advisory

FEDORA-2020-a1d139381a
source:FEDORA
tags:

USN-4559-1
source:UBUNTU
tags:

http://packetstormsecurity.com/files/160127/Zerologon-Netlogon-Privilege-Escalation.html
source:MISC
tags:

[debian-lts-announce] 20201123 [SECURITY] [DLA 2463-1] samba security update
source:MLIST
tags:

GLSA-202012-24
source:GENTOO
tags:

https://www.oracle.com/security-alerts/cpuApr2021.html
source:MISC
tags:

This vulnerability may involve a PoC.

Description from Forti

Microsoft: Netlogon Elevation of Privilege Vulnerability

This indicates an attack attempt to exploit an Elevation of Priviledge on Windows Server Netlogon Service.The vulnerablitiy is due to flaws in a cryptographic authentication protocol that proves the authenticity and identity of a domain-joined computer to a Windows Server Domain Controller. Successful exploitation can lead to an attacker gaining domain admin privileges on the vulnerable server.

Information Acquisition Date:2021/03/01

Affected Products

Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
Windows Server 2012
Windows Server 2012 (Server Core installation)
Windows Server 2012 R2
Windows Server 2012 R2 (Server Core installation)
Windows Server 2016
Windows Server 2016 (Server Core installation)
Windows Server 2019
Windows Server 2019 (Server Core installation)
Windows Server, version 1903 (Server Core installation)
Windows Server, version 1909 (Server Core installation)
Windows Server, version 2004 (Server Core installation)

Impact

Privilege Escalation: Remote attackers can leverage their privileges on vulnerable systems.

Recommended Actions

Apply the most recent upgrade or patch from the vendor.
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472

References

Refer to Information on External Sites

CVE Infomation	Exploits or more Infomation
mitre	EXPLOIT DATABASE
NVD	0day.today
vulmon.com	github
CVE Details	Twitter
JVN ENG JPN
Reconshell

Software Tag: Linux(1 tweets) Windows(3 tweets)

List of frequently cited URLs

URL	Num of Times Referred to
https://alerts.vulmon.com/?utm_source=twitter&utm_medium=so...	262
https://reportcybercrime.com/cve-2020-1472	86
http://twinybots.ch	55
https://www.matteomalvica.com/blog/2020/09/24/weaponizing-c...	26
https://blog.zsec.uk/zerologon-attacking-defending/	19
http://newsbythehour.org/cybr	15
https://dirkjanm.io/a-different-way-of-abusing-zerologon/	11
http://canyoupwn.me	9
https://threatpost.com/zerologon-attacks-microsoft-dcs-snow...	7
https://blog.qualys.com/vulnerabilities-research/2020/09/15...	7
https://thedfirreport.com/2020/10/18/ryuk-in-5-hours	7
https://portal.msrc.microsoft.com/en-us/security-guidance/a...	7
https://github.com/SecuraBV/CVE-2020-1472	6
https://bit.ly/3iIrsQb	5
https://arstechnica.com/information-technology/2020/09/new-...	5
https://blog.0patch.com/2020/09/micropatch-for-zerologon-pe...	5
https://www.cvebase.com/cve/2020/1472	5
https://securityaffairs.co/wordpress/108262/hacking/zerolog...	5
https://support.microsoft.com/en-us/help/4557222/how-to-man...	5
https://piyolog.hatenadiary.jp/entry/2020/09/28/124522	5
https://www.freethreatintel.com	5
https://www.helpnetsecurity.com/2020/09/15/cve-2020-1472/	5
https://unit42.paloaltonetworks.com/zerologon/	5
https://ift.tt/3iw2wv3	4
http://cvebase.com/cve/2020/1472	4
https://blog.nviso.eu/2020/09/17/sentinel-query-detect-zero...	4
https://www.tenable.com/blog/cve-2020-1472-zerologon-vulner...	4
https://us-cert.cisa.gov/ncas/current-activity/2020/09/14/e...	4
https://www.jpcert.or.jp/newsflash/2020091601.html	4
https://thehackernews.com/2020/09/detecting-and-preventing-...	4
https://blog.kaspersky.co.jp/cve-2020-1472-domain-controlle...	4
https://www.securityweek.com/microsoft-says-hackers-activel...	4
https://blog.trendmicro.co.jp/archives/26206	4
https://www.pentestpartners.com/security-blog/cve-2020-1472...	4
https://www.bleepingcomputer.com/news/microsoft/windows-zer...	4
https://techcommunity.microsoft.com/t5/microsoft-365-defend...	4
https://kas.pr/f69c	3
https://buff.ly/2FCOc57	3
https://zero.bs/zerologon-cve-2020-1472-finding-and-checkin...	3
https://youtu.be/1h_wlMWwyB4	3
https://go.shr.lc/2Ghs94g	3
https://medium.com/@aaron.margosis/clarifying-cve-2020-1472...	3
http://vulmon.com/vulnerabilitydetails?qid=CVE-2020-1472	3
https://opsmtrs.com/3gPRgc1	3
https://twitter.com/djrevmoon/status/1304396680654204930	3
http://mi6rogue.com/news	3
https://www.cisa.gov/blog/2020/09/18/windows-server-vulnera...	3
https://www.heise.de/news/Zerologon-Luecke-in-Windows-Serve...	3
https://cyber.dhs.gov/ed/20-04/	3
https://tryhackme.com/room/zer0logon	3
https://www.ipa.go.jp/security/ciadr/vul/20200812-ms.html	3
https://www.kroll.com/en/insights/publications/cyber/cve-20...	3
https://www.lares.com/blog/from-lares-labs-defensive-guidan...	3
https://www.samba.org/samba/security/CVE-2020-1472.html	3
https://www.zdnet.com/article/zerologon-attack-lets-hackers...	3
https://0xdf.gitlab.io/2020/09/17/zerologon-owning-htb-mach...	3
https://corelight.blog/2020/09/16/detecting-zerologon-cve-2...	3
https://www.secura.com/blog/zero-logon	3
https://www.splunk.com/en_us/blog/security/detecting-cve-20...	3
https://blog.rapid7.com/2020/09/14/cve-2020-1472-zerologon-...	3
https://nv2lt.github.io/windows/CVE-2020-1472-Step-by-Step-...	3
https://www.fireeye.com/blog/threat-research/2020/12/unauth...	3
https://grahamcluley.com/microsoft-warns-hackers-are-active...	3
https://news.yahoo.co.jp/byline/ohmototakashi/20200915-0019...	3
http://tweetedtimes.com/securitycrusade?s=tnp	3
https://www.blognone.com/node/118563	3
https://www.microsoft.com/security/blog/2020/11/30/zerologo...	3
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-...	3
https://msrc.microsoft.com/update-guide/vulnerability	3
https://www.theregister.com/2020/09/21/cisa_zerologon_emerg...	3
https://www.cert.ssi.gouv.fr/alerte/CERTFR-2020-ALE-020/	3
https://blog.segu-info.com.ar/2020/12/ataques-de-zerologon-...	3
https://msrc-blog.microsoft.com/2020/09/14/20200915_netlogon/	3
https://nakedsecurity.sophos.com/2020/09/17/zerologon-hacki...	3
https://ipssignatures.appspot.com/?cve=CVE-2020-1472	3

Information from Twitter

User	URL	Info Source	Date
Prohacktiv3	https://github.com/followboy1999/CVE-2022-25365	Source Prohacktiv3 1627564125713797122	2023/02/20
Prohacktiv3	https://twitter.com/Prohacktiv3/status/1627564125713797122/...	Source Prohacktiv3 1627564125713797122	2023/02/20
ArmeriaVillosa	https://tryhackme.com/room/zer0logon	Source ArmeriaVillosa 1634500732782034946	2023/03/11
MParis84	https://tryhackme.com/room/zer0logon	Source MParis84 1634923920485912578	2023/03/12
Christe05505504	https://tryhackme.com/room/zer0logon	Source Christe05505504 1642189775007301634	2023/04/02

List of frequently cited URLs

URL	Num of Times Referred to
alerts.vulmon.com	262
reportcybercrime.com	86
twinybots.ch	55
www.matteomalvica.com	26
blog.zsec.uk	19
newsbythehour.org	15
dirkjanm.io	11
canyoupwn.me	9
threatpost.com	7
blog.qualys.com	7
thedfirreport.com	7
portal.msrc.microsoft.com	7
github.com	6
bit.ly	5
arstechnica.com	5
blog.0patch.com	5
www.cvebase.com	5
securityaffairs.co	5
support.microsoft.com	5
piyolog.hatenadiary.jp	5
www.freethreatintel.com	5
www.helpnetsecurity.com	5
unit42.paloaltonetworks.com	5
ift.tt	4
cvebase.com	4
blog.nviso.eu	4
www.tenable.com	4
us-cert.cisa.gov	4
www.jpcert.or.jp	4
thehackernews.com	4
blog.kaspersky.co.jp	4
www.securityweek.com	4
blog.trendmicro.co.jp	4
www.pentestpartners.com	4
www.bleepingcomputer.com	4
techcommunity.microsoft.com	4
kas.pr	3
buff.ly	3
zero.bs	3
youtu.be	3
go.shr.lc	3
medium.com	3
vulmon.com	3
opsmtrs.com	3
twitter.com	3
mi6rogue.com	3
www.cisa.gov	3
www.heise.de	3
cyber.dhs.gov	3
tryhackme.com	3
www.ipa.go.jp	3
www.kroll.com	3
www.lares.com	3
www.samba.org	3
www.zdnet.com	3
0xdf.gitlab.io	3
corelight.blog	3
www.secura.com	3
www.splunk.com	3
blog.rapid7.com	3
nv2lt.github.io	3
www.fireeye.com	3
grahamcluley.com	3
news.yahoo.co.jp	3
tweetedtimes.com	3
www.blognone.com	3
www.microsoft.com	3
www.trustwave.com	3
msrc.microsoft.com	3
www.theregister.com	3
www.cert.ssi.gouv.fr	3
blog.segu-info.com.ar	3
msrc-blog.microsoft.com	3
nakedsecurity.sophos.com	3
ipssignatures.appspot.com	3

Information from Twitter

User	URL	Info Source
Prohacktiv3	github.com	Show Tweet
Prohacktiv3	twitter.com	Show Tweet
ArmeriaVillosa	tryhackme.com	Show Tweet
MParis84	tryhackme.com	Show Tweet
Christe05505504	tryhackme.com	Show Tweet

GitHub Search Results: Up to 10

Name	URL
SecuraBV/CVE-2020-1472	https://github.com/SecuraBV/CVE-2020-1472
dirkjanm/CVE-2020-1472	https://github.com/dirkjanm/CVE-2020-1472
risksense/zerologon	https://github.com/risksense/zerologon
VoidSec/CVE-2020-1472	https://github.com/VoidSec/CVE-2020-1472
k8gege/CVE-2020-1472-EXP	https://github.com/k8gege/CVE-2020-1472-EXP
mstxq17/cve-2020-1472	https://github.com/mstxq17/cve-2020-1472
cube0x0/CVE-2020-1472	https://github.com/cube0x0/CVE-2020-1472
bb00/zer0dump	https://github.com/bb00/zer0dump
sv3nbeast/CVE-2020-1472	https://github.com/sv3nbeast/CVE-2020-1472
zeronetworks/zerologon	https://github.com/zeronetworks/zerologon

GitHub Search Results: Up to 10

Name	URL
SecuraBV/CVE-2020-1472	github.com
dirkjanm/CVE-2020-1472	github.com
risksense/zerologon	github.com
VoidSec/CVE-2020-1472	github.com
k8gege/CVE-2020-1472-EXP	github.com
mstxq17/cve-2020-1472	github.com
cube0x0/CVE-2020-1472	github.com
bb00/zer0dump	github.com
sv3nbeast/CVE-2020-1472	github.com
zeronetworks/zerologon	github.com

2023/04/06 Score : 0
Added Har-sia Database : 2020/08/07
Last Modified : 2023/04/06
Highest Scored Date : 2020/09/15
Highest Score : 319