10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.974 High
EPSS
Percentile
99.9%
An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC), aka ‘Netlogon Elevation of Privilege Vulnerability’.
Recent assessments:
VoidSec at September 15, 2020 8:31am UTC reported:
Unauthenticated attacker, able to directly connect to a Domain Controller over NRPC will be able to reset the Domain Controller’s account password to an empty string, thus enabling the attackers to further escalate their privileges to Domain Admin.
The exploit will be successful only if the Domain Controller uses the password stored in Active Directory to validate the login attempt, rather than the one stored locally as, when changing a password in this way, it is only changed in the AD. The targeted system itself will still locally store its original password.
Target computer will then not be able to authenticate to the domain anymore, and it can only be re-synchronized through manual action.
In test lab a successful attack broke the following functionalities when targeting a Domain Controller: DNS functionality and/or communication with replication Domain Controllers.
Checker and Exploit code
Original research and white-paper: [Secura – Tom Tervoort](<https://www.secura.com/blog/zero-logon](https://www.secura.com/blog/zero-logon>)
wvu-r7 at August 11, 2020 10:15pm UTC reported:
Unauthenticated attacker, able to directly connect to a Domain Controller over NRPC will be able to reset the Domain Controller’s account password to an empty string, thus enabling the attackers to further escalate their privileges to Domain Admin.
The exploit will be successful only if the Domain Controller uses the password stored in Active Directory to validate the login attempt, rather than the one stored locally as, when changing a password in this way, it is only changed in the AD. The targeted system itself will still locally store its original password.
Target computer will then not be able to authenticate to the domain anymore, and it can only be re-synchronized through manual action.
In test lab a successful attack broke the following functionalities when targeting a Domain Controller: DNS functionality and/or communication with replication Domain Controllers.
Checker and Exploit code
Original research and white-paper: [Secura – Tom Tervoort](<https://www.secura.com/blog/zero-logon](https://www.secura.com/blog/zero-logon>)
jpcastr0 at September 16, 2020 3:29pm UTC reported:
Unauthenticated attacker, able to directly connect to a Domain Controller over NRPC will be able to reset the Domain Controller’s account password to an empty string, thus enabling the attackers to further escalate their privileges to Domain Admin.
The exploit will be successful only if the Domain Controller uses the password stored in Active Directory to validate the login attempt, rather than the one stored locally as, when changing a password in this way, it is only changed in the AD. The targeted system itself will still locally store its original password.
Target computer will then not be able to authenticate to the domain anymore, and it can only be re-synchronized through manual action.
In test lab a successful attack broke the following functionalities when targeting a Domain Controller: DNS functionality and/or communication with replication Domain Controllers.
Checker and Exploit code
Original research and white-paper: [Secura – Tom Tervoort](<https://www.secura.com/blog/zero-logon](https://www.secura.com/blog/zero-logon>)
zeroSteiner at October 09, 2020 5:00pm UTC reported:
Unauthenticated attacker, able to directly connect to a Domain Controller over NRPC will be able to reset the Domain Controller’s account password to an empty string, thus enabling the attackers to further escalate their privileges to Domain Admin.
The exploit will be successful only if the Domain Controller uses the password stored in Active Directory to validate the login attempt, rather than the one stored locally as, when changing a password in this way, it is only changed in the AD. The targeted system itself will still locally store its original password.
Target computer will then not be able to authenticate to the domain anymore, and it can only be re-synchronized through manual action.
In test lab a successful attack broke the following functionalities when targeting a Domain Controller: DNS functionality and/or communication with replication Domain Controllers.
Checker and Exploit code
Original research and white-paper: [Secura – Tom Tervoort](<https://www.secura.com/blog/zero-logon](https://www.secura.com/blog/zero-logon>)
gwillcox-r7 at October 20, 2020 6:00pm UTC reported:
Unauthenticated attacker, able to directly connect to a Domain Controller over NRPC will be able to reset the Domain Controller’s account password to an empty string, thus enabling the attackers to further escalate their privileges to Domain Admin.
The exploit will be successful only if the Domain Controller uses the password stored in Active Directory to validate the login attempt, rather than the one stored locally as, when changing a password in this way, it is only changed in the AD. The targeted system itself will still locally store its original password.
Target computer will then not be able to authenticate to the domain anymore, and it can only be re-synchronized through manual action.
In test lab a successful attack broke the following functionalities when targeting a Domain Controller: DNS functionality and/or communication with replication Domain Controllers.
Checker and Exploit code
Original research and white-paper: [Secura – Tom Tervoort](<https://www.secura.com/blog/zero-logon](https://www.secura.com/blog/zero-logon>)
cbeek-r7 at October 16, 2023 12:18pm UTC reported:
Unauthenticated attacker, able to directly connect to a Domain Controller over NRPC will be able to reset the Domain Controller’s account password to an empty string, thus enabling the attackers to further escalate their privileges to Domain Admin.
The exploit will be successful only if the Domain Controller uses the password stored in Active Directory to validate the login attempt, rather than the one stored locally as, when changing a password in this way, it is only changed in the AD. The targeted system itself will still locally store its original password.
Target computer will then not be able to authenticate to the domain anymore, and it can only be re-synchronized through manual action.
In test lab a successful attack broke the following functionalities when targeting a Domain Controller: DNS functionality and/or communication with replication Domain Controllers.
Checker and Exploit code
Original research and white-paper: [Secura – Tom Tervoort](<https://www.secura.com/blog/zero-logon](https://www.secura.com/blog/zero-logon>)
aherndon-r7 at May 03, 2021 8:58pm UTC reported:
Unauthenticated attacker, able to directly connect to a Domain Controller over NRPC will be able to reset the Domain Controller’s account password to an empty string, thus enabling the attackers to further escalate their privileges to Domain Admin.
The exploit will be successful only if the Domain Controller uses the password stored in Active Directory to validate the login attempt, rather than the one stored locally as, when changing a password in this way, it is only changed in the AD. The targeted system itself will still locally store its original password.
Target computer will then not be able to authenticate to the domain anymore, and it can only be re-synchronized through manual action.
In test lab a successful attack broke the following functionalities when targeting a Domain Controller: DNS functionality and/or communication with replication Domain Controllers.
Checker and Exploit code
Original research and white-paper: [Secura – Tom Tervoort](<https://www.secura.com/blog/zero-logon](https://www.secura.com/blog/zero-logon>)
Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 5
lists.opensuse.org/opensuse-security-announce/2020-09/msg00080.html
lists.opensuse.org/opensuse-security-announce/2020-09/msg00086.html
packetstormsecurity.com/files/159190/Zerologon-Proof-Of-Concept.html
packetstormsecurity.com/files/160127/Zerologon-Netlogon-Privilege-Escalation.html
www.openwall.com/lists/oss-security/2020/09/17/2
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1472
github.com/SecuraBV/CVE-2020-1472
github.com/VoidSec/CVE-2020-1472
lists.debian.org/debian-lts-announce/2020/11/msg00041.html
lists.fedoraproject.org/archives/list/[email protected]/message/H4OTFBL6YDVFH2TBJFJIE4FMHPJEEJK3/
lists.fedoraproject.org/archives/list/[email protected]/message/ST6X3A2XXYMGD4INR26DQ4FP4QSM753B/
lists.fedoraproject.org/archives/list/[email protected]/message/TAPQQZZAT4TG3XVRTAFV2Y3S7OAHFBUP/
portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472
security.gentoo.org/glsa/202012-24
support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc
us-cert.cisa.gov/ncas/current-activity/2020/10/29/microsoft-warns-continued-exploitation-cve-2020-1472
usn.ubuntu.com/4510-1/
usn.ubuntu.com/4510-2/
usn.ubuntu.com/4559-1/
www.kb.cert.org/vuls/id/490028
www.synology.com/security/advisory/Synology_SA_20_21
www.zerodayinitiative.com/blog/2020/8/11/the-august-2020-security-update-review
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.974 High
EPSS
Percentile
99.9%