CVE-2020-1472 | Netlogon Elevation of Privilege Vulnerability

Published: 2020-07-29
MITRE CVE-2020-1472

An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC), aka ‘Netlogon Elevation of Privilege Vulnerability’.

There are many non-Windows device implementations of the Netlogon Remote Protocol (also called MS-NRPC). To ensure that vendors of non-compliant implementations can provide customers with updates, a second release that is planned for Q1 2021 will enforce protection for all domain-joined devices.

If the guidelines from the KB article “How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472” are not followed, your organization risks devices in your environment being denied access when the enforcement phase starts in Q1 2021. If there are currently no non-compliant devices in your environment, you can move to enforcement mode for further protection in advance of required enforcement.

The Base CVSS score for this vulnerability is 10 (out of 10 possible).
The Temporal CVSS score (at 2020-08-19) is 9.

There is no known exploitation of this in the wild, and the details about the vulnerability is not publicly disclosed. Meaning there should be some time still before this is a major issue. And if it becomes exploited in the wild, Basefarm always recommends that domain controllers are not reachable on the public internet.

Basefarm is currently evaluating this vulnerability, how to best handle it and ensure operational stability for all our customers. Our goal is to have this mitigated on all servers within 1 week. We are tracking this internally as BF-VLN-2102348 with the highest priority.

Unique insights and large ransomware attacks

This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT)

This week we get a unique insight into a threat actors inner working as IBM’s X-Force IRIS security team uncover a 40GB cache of data belonging to a threat actor called “ITG18” (overlaps with another outfit alternatively known as Charming Kitten and Phosphorus) believed to be sponsored by Iran. Included in the extracted data is several hours of video “showing operators searching through and exfiltrating data from multiple compromised accounts”.
Read more …

Top 5 Security News

Vulnerable Citrix Appliances

On December 17, Citrix disclosed a vulnerability in their ADC, Gateway and SD-WAN product lines. Some patches were delivered around January 10, but these patches were not that efficient. A proper patch was not released before January 19 to January 24, depending on the appliance and release train.

Unfortunately, the nature of the vulnerability makes it extremely simple to exploit. That, combined with the fact that these appliances are usually directly connected to the Internet, makes this a serious threat to the overall Internet health. Exploit code has been generally available since about January 11 and there are now multiple, automated scanners deployed that is targeting unpatched appliances. When compromised, the malware is collecting config files and potentially SSL certificates and keys. There has also been attempts at using compromised appliances as stepping stones to move further into the infrastructure.

Basefarm recommend that all such appliances are checked and verified OK as soon as possible. FireEye has released a tool to aid in the verification. This tool can be found on Github. If a box is believed to be compromised, Basefarm recommends that the appliance is disconnected from the Internet immediately and fully replaced with a freshly installed one with all necessary patches in place before the appliance is exposed to the Internet again. All credentials and SSL keys stored on the appliance should be rotated.


Basefarm security news

This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT).

Florida has been become a target for two serious ransomware attacks. The city of Pensacola reported a cyber incident that reportedly started Saturday morning. The city disconnected much of the city’s network, and affected some payments and other service. The operators behind the Maze Ransomware have claimed responsibility for this attack. Prison Rehabilitative Industries and Diversified Enterprises Inc (PRIDE) in Florida was also targeted with ransomware on the same day. PRIDE is a non-profit that helps inmates transition to a life outside of prison. There are no indications that the two attacks are linked to each-other.

Top 5 Security News

Vietnamese Hackers Compromised BMW and Hyundai

Another Ransomware Will Now Publish Victims’ Data If Not Paid

AirDoS: Hackers Can Block iPhones, iPads Via AirDrop Attack

Attackers now use process hollowing to hide cryptocurrency miners on your PC

Microsoft Security Essentials Will Not Protect Windows 7 PCs After January 14, 2020


New Class of CPU Flaws Affect Almost Every Intel Processor Since 2011

This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT).

Academic researchers today disclosed details of the newest class of speculative execution side-channel vulnerabilities in Intel processors that impacts all modern chips, including the chips used in Apple devices.
After the discovery of Spectre and Meltdown processor vulnerabilities earlier last year that put practically every computer in the world at risk, different classes of Spectre and Meltdown variations surfaced again and again.

Read more

Top 5 Security News

Microsoft Patches ‘Wormable’ Flaw in Windows XP, 7 and Windows 2003

Severe Linux kernel flaw found in RDS


Security Updates Released for Adobe Flash Player, Reader, and Media Encoder

WhatsApp flaw used to install spyware by simply calling the target

Downgrade Attack on TLS 1.3 and Vulnerabilities in Major TLS Libraries

This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT).

On November 30, 2018. nccgroup disclosed CVE-2018-12404, CVE-2018-19608, CVE-2018-16868, CVE-2018-16869, and CVE-2018-16870. These were from vulnerabilities found back in August 2018 in several TLS libraries.

Read more

Top 5 Security News

The dawn of the autonomous data center

In this article published by Data Center Dynamics, Ravin Mehta, founder of The unbelievable Machine Company, part of the Basefarm group, argues that now could be the time for the next big leap when it comes to the data center.

What AI and machine learning are and how they relate to IoT

We can better exploit new opportunities when we understand what new technologies involve and how they interact. Today’s topic is what artificial intelligence and machine learning are, and an insight into how they can relate to IoT and Big Data.

BF-SIRT Newsletter 2017-39

This weeks top stories is an update on how the CCleaner APT security incident targeted large technology companies, and a Deloitte breach affecting all company email.

A couple of new stories are currently evolving, including an easy-to-exploit flaw in Linux kernel rated ‘high risk’ (CVE-2017-1000253) and a (for now) more theoretical CLKSCREW Attack which can hack modern chipsets via their power management features.

ICANN delays KSK Rollover over fears 60 million people would be kicked offline.

If you are looking for longer reading to keep you company this weekend you are in luck, McAfee Labs Report sees cyberattacks target healthcare and social media users, Accenture reports global cost of cybercrime soars 23% in a year and Europol published it’s Internet Organised Crime Threat Assessment.

Notable CVEs this week
CVE-2017-14867 – git: cvsserver command injection – CVSS3 Base Score 7.8
CVE-2017-1000253 – kernel: load_elf_ binary() – CVSS3 Base Score 7.8
CVE-2017-7805 – nss: Potential use-after-free in TLS 1.2 server – CVSS3 Base Score 7.5

Top 5 Security Links
Avast, Cisco Confirm: CCleaner Malware Targeted Large Technology Companies
Source: Deloitte Breach Affected All Company Email, Admin Accounts
Patch alert! Easy-to-exploit flaw in Linux kernel rated ‘high risk’
CLKSCREW Attack Can Hack Modern Chipsets via Their Power Management Features
Internet-wide security update put on hold over fears 60 million people would be kicked offline