0patch fixes Zerologon (CVE-2020-1472) vulnerability in Windows Server 2008 R2

win7 [German]ACROS Security has released a micropatch for the vulnerability CVE-2020-1472 (Zerologon) for Windows Server 2008 R2. This vulnerability is only closed by Microsoft starting with Windows Server 2012 R2.

The vulnerability CVE-2020-1472 (Zerologon)

CVE-2020-1472 was issued for an elevation of privilege vulnerability in Windows. The vulnerability could allow a domain controller to be taken over. Microsoft writes about this:

An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network.

To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access.

Microsoft fixes the vulnerability in a staggered two-part rollout. Updates from August 11, 2020 fix the vulnerability by changing the way Netlogon handles the use of secure Netlogon channels (see this Microsoft article). However, only updates for Windows Server 2012 / R2 and Windows Server 2016/2019 have been released. 

Guidelines on how to manage the changes required by this vulnerability and more information on how to implement it step-by-step can be found in How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472. I also reported on the blog (see links at the end of the article).

0patch fix for Windows Server 2008 R2

ACROS Security has developed a micropatch for the vulnerability CVE-2020-1472. I got aware of the information about the release of the micropatch for Windows Server 2008 R2 via Twitter. The ACROS Security blog post here contains more information. 

0patch-Fix für Windows Server 2008 R2
(0patch Fix for CVE-2020-1472 )

This micropatch is now available for 0patch users with PRO license and is already applied to all online computers with 0patch Agent (except in non-standard enterprise configurations). As always, there is no need to restart the computer and users' work is not interrupted.

For information on how the 0patch Agent works, which loads the micro-patches into memory at runtime of an application, please refer to the blog posts (e.g. here) I have linked below.  

Similar articles:
Windows 7: Forcing February 2020 Security Updates – Part 1
Windows 7: Securing with the 0patch solution – Part 2
Windows 7/Server 2008/R2: 0patch delivers security patches after support ends
Project: Windows 7/Server 2008/R2 Life Extension & 0patch one month trial
0patch: Fix for Internet Explorer 0-day vulnerability CVE-2020-0674
0patch: Fix for Windows Installer flaw CVE-2020-0683
0patch fix for Windows GDI+ vulnerability CVE-2020-0881
0-day vulnerability in Windows Adobe Type Library
0patch fixes CVE-2020-0687 in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1048 in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1015 in Windows 7/Server 2008 R2
0patch for 0-day RCE vulnerability in Zoom for Windows
Windows Server 2008 R2: 0patch fixes SIGRed vulnerability
0patch fixes CVE-2020-1113 in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1337 in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1530 in Windows 7/Server 2008 R2

Windows Server: Zerologon vulnerability (CVE-2020-1472) allows domain hijacking
Windows Domain Controller suddenly generate EventID 5829 warnings (August 11, 2020)

This entry was posted in Security, Windows and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *