Privilege Escalation vulnerability in Microsoft Windows Netlogon Remote Protocol
Original Issue Date: September 21, 2020
Severity Rating: High
- Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation also affected)
- Windows Server 2012 (Server Core installation also affected)
- Windows Server 2012 R2 (Server Core installation also affected)
- Windows Server 2016 (Server Core installation also affected)
- Windows Server 2019 (Server Core installation also affected)
- Windows Server, version 1903 (Server Core installation)
- Windows Server, version 1909 (Server Core installation)
- Windows Server, version 2004 (Server Core installation)
A vulnerability has been reported in Microsoft Windows Netlogon Remote Protocol, which could be exploited by an attacker to gain elevated privileges on the target system.
The Microsoft Windows Netlogon Remote Protocol (MS-NRPC) is a core authentication component of Active Directory that provides authentication for user and computer accounts.
By sending a number of Netlogon messages in which various fields are filled with zeroes, an unauthenticated attacker could change the computer password of the domain controller that is stored in the AD. This can then be used to obtain domain admin credentials and then restore the original DC password.
Successful exploitation allow the attacker to alter additional credentials, escalate to the level of a domain admin, and move laterally to other machines in the domain and deploy other malware on the compromised networks.
Apply appropriate patches as mentioned in the Microsoft Advisory
The information provided herein is on "as is" basis, without warranty of any kind.
Email: email@example.com Phone: +91-11-24368572
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
6, CGO Complex, Lodhi Road,
New Delhi - 110 003