CVE-2020-1472 | Netlogon Elevation of Privilege Vulnerability

Published: 2020-07-29
MITRE CVE-2020-1472

An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC), aka ‘Netlogon Elevation of Privilege Vulnerability’.

There are many non-Windows device implementations of the Netlogon Remote Protocol (also called MS-NRPC). To ensure that vendors of non-compliant implementations can provide customers with updates, a second release that is planned for Q1 2021 will enforce protection for all domain-joined devices.

If the guidelines from the KB article “How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472” are not followed, your organization risks devices in your environment being denied access when the enforcement phase starts in Q1 2021. If there are currently no non-compliant devices in your environment, you can move to enforcement mode for further protection in advance of required enforcement.

The Base CVSS score for this vulnerability is 10 (out of 10 possible).
The Temporal CVSS score (at 2020-08-19) is 9.

There is no known exploitation of this in the wild, and the details about the vulnerability is not publicly disclosed. Meaning there should be some time still before this is a major issue. And if it becomes exploited in the wild, Basefarm always recommends that domain controllers are not reachable on the public internet.

Basefarm is currently evaluating this vulnerability, how to best handle it and ensure operational stability for all our customers. Our goal is to have this mitigated on all servers within 1 week. We are tracking this internally as BF-VLN-2102348 with the highest priority.