The Cybersecurity and Infrastructure Security Agency (CISA) is aware of active exploitation of CVE-2020-1472, an elevation of privilege vulnerability in Microsoft’s Netlogon. A remote attacker can exploit this vulnerability to breach unpatched Active Directory domain controllers and obtain domain administrator access. Applying patches from Microsoft’s August 2020 Security Advisory for CVE-2020-1472 can prevent exploitation of this vulnerability.
CISA has released a patch validation script to detect unpatched Microsoft domain controllers. CISA urges administrators to patch all domain controllers immediately—until every domain controller is updated, the entire infrastructure remains vulnerable. Review the following resources for more information:
- CISA Patch Validation Script
- CISA Emergency Directive 20-04: Mitigate Netlogon Elevation of Privilege Vulnerability from August 2020 Patch Tuesday
- CERT/CC Vulnerability Note VU#490028
- Microsoft Security Vulnerability Information for CVE-2020-1472
- Microsoft’s guidance on How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472