CVE-2020-1472: 
vulnerability analysis and mitigation

CVE-2020-1472, also known as Zerologon, is a critical vulnerability (CVSS 10.0) discovered in the Netlogon Remote Protocol (MS-NRPC) that was disclosed in August 2020. The vulnerability allows an unauthenticated attacker to establish a vulnerable Netlogon secure channel connection to a domain controller and potentially gain domain administrator access. The issue stems from the improper implementation of AES-CFB8 cryptography in the protocol, where a static initialization vector of zero is used (CERT Advisory, CrowdStrike Blog).

The core vulnerability lies in the ComputeNetlogonCredential function of the Netlogon Remote Protocol which uses AES-CFB8 mode with a fixed initialization vector (IV) of 16 zero bytes. This cryptographic flaw means that encryption of 8-bytes of zeros could yield a ciphertext of zeros with a probability of 1 in 256. Combined with the fact that unencrypted Netlogon sessions aren't rejected by servers by default, an attacker can exploit this to impersonate any domain-joined computer, including a domain controller (CrowdStrike Blog).

A successful exploit allows an unauthenticated attacker with network access to a domain controller to establish a vulnerable Netlogon secure channel connection and potentially gain domain administrator privileges. The attacker could set an empty password for the domain controller's Active Directory computer account, causing a denial of service, and potentially allowing complete domain compromise (CERT Advisory).

Microsoft addressed this vulnerability in a phased two-part rollout. The initial phase began with the August 2020 security update which enforced secure RPC usage for machine accounts on Windows-based devices. The second phase, released in February 2021, enforced secure RPC for all devices. Organizations should: 1) Deploy the security updates to all domain controllers 2) Enable enforcement mode 3) Monitor event logs for vulnerable connections 4) Update non-compliant devices (Microsoft Blog).

The vulnerability received significant attention from the security community due to its critical severity and ease of exploitation. Microsoft and other vendors like Samba quickly released patches. The US Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive requiring federal agencies to patch their systems, highlighting the severity of the vulnerability (MSRC Blog).