Aug 2020: Netlogon Elevation of Privilege Vulnerability
CVE-2020-1472 Published on August 17, 2020

Netlogon Elevation of Privilege Vulnerability
An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network. To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access. Microsoft is addressing the vulnerability in a phased two-part rollout. These updates address the vulnerability by modifying how Netlogon handles the usage of Netlogon secure channels. For guidelines on how to manage the changes required for this vulnerability and more information on the phased rollout, see How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472 (updated September 28, 2020). When the second phase of Windows updates become available in Q1 2021, customers will be notified via a revision to this security vulnerability. If you wish to be notified when these updates are released, we recommend that you register for the security notifications mailer to be alerted of content changes to this advisory. See Microsoft Technical Security Notifications.

Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory NVD

Known Exploited Vulnerability

This NetLogon Privilege Escalation Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. A privilege escalation vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC), aka 'Netlogon Elevation of Privilege Vulnerability'.

The following remediation steps are recommended / required by September 21, 2020: Apply updates per vendor instructions.


Products Associated with CVE-2020-1472

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2020-1472 are published in these products:

Samba
 
Canonical Ubuntu Linux
 
Fedora Project Fedora
 
Microsoft Windows Server 2008
 
Microsoft Windows Server 2012
 
Microsoft Windows Server 2016
 
Microsoft Windows Server 2019
 
OpenSuse Leap
 
Synology Directory Server
 
Debian Linux
 
Oracle Zfs Storage Appliance Kit
 
Microsoft Windows Server 2004
 
Microsoft Windows Server 20h2
 
Microsoft Windows Server 1903
 
Microsoft Windows Server 1909
 
Microsoft Windows Server 2008 R2
 
Microsoft Windows Server 2012 R2
 

Affected Versions

Microsoft Windows Server version 2004: Microsoft Windows Server 2019: Microsoft Windows Server 2019 (Server Core installation): Microsoft Windows Server, version 1909 (Server Core installation): Microsoft Windows Server, version 1903 (Server Core installation): Microsoft Windows Server 2016: Microsoft Windows Server 2016 (Server Core installation): Microsoft Windows Server 2008 R2 Service Pack 1: Microsoft Windows Server 2008 R2 Service Pack 1 (Server Core installation): Microsoft Windows Server 2012: Microsoft Windows Server 2012 (Server Core installation): Microsoft Windows Server 2012 R2: Microsoft Windows Server 2012 R2 (Server Core installation): Microsoft Windows Server version 20H2:

Exploit Probability

EPSS
94.38%
Percentile
99.97%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.