The cve-2020-1472 vulnerability has been disclosed since Aug. This is an elevation of privilege vulnerability that exists when a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol.
This vulnerability is more to be known as Zerologon, and received a CVSS score of 10.0. Here're the summary of the vulnerability:
- Proof of concept available [ yes ]
- Unauthenticated attack [ yes ]
- Admin privileged access [ yes ]
- Easy to weaponize [ yes ]
- Remote attack [
same LAN onlyYES ] **
Al least last point seems like a good news where a vulnerable client or DC exposed to the internet is not exploitable by itself. (whew)
There are 2 things I would like to emphasis in this post.
First, the patch released in August isn't a full fix solution. The patch only helps to protect the vulnerable servers (domain controllers) from exploit/malware attack. This is like deploying an antivirus solution that block the WannaCry malware without patching the root problem.
The root of the problem is at the RPC with Netlogon protocol (MS-NRPC). And Microsoft will release second patch slated for Q1 in 2021 to address the bug.
The NetLogon component is an important functional component to perform authentication on the intra-domain network. It is important to be used for replicating the database backup, and maintaining domain members and domains relationship with domain DC (or cross-domain DC). The worst case for this attack is, the DC can be takenover by unauthenticated attacker.
Second, this vulnerability is targeting mainly on domain controllers (DC), including Samba server. However, the default installation running Samba (as a file server) are not directly impacted.
To Samba, this vulnerability is more of a mis-configuration than bug. Samba has been insisting on a secure netlogon channel since version 4.8 (Mar 2018). This is sufficient fix against the zerologon attack. [Unless they have the smb.conf lines 'server schannel = no' or 'server schannel = auto', those Samba server is not vulnerable]
Samba versions 4.7 and below are impacted by the vulnerability unless they have ‘server schannel = yes’ in the smb.conf. “The ‘server schannel = yes’ smb.conf line is equivalent to ‘FullSecureChannelProtection=1’ registry key in Microsoft OS, the introduction of which we understand forms the core of Microsoft’s fix. ”
Link: