Vulnerability – CVE-2020-1472
An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC), aka ‘Netlogon Elevation of Privilege Vulnerability’.
To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access.
The ‘Zerologon‘ bug was patched by Microsoft last month, although the company did not reveal full details of the flaw at the time.
Microsoft is addressing the vulnerability in a phased two-part rollout. These updates address the vulnerability “by modifying how Netlogon handles the usage of Netlogon secure channels.”
Last month, the company released the initial temporary fix for the Zerologon attack.
“Customers who apply the update, or have automatic updates enabled, will be protected,” Microsoft said at the time.
The second phase of Windows updates is expected to be available in February next year, and in that update, the enforcement mode for NRP will be turned on by default.