CVE-2020-1472

Overview

CVE-2020-1472, nicknamed "ZeroLogon," is a cryptographic vulnerability in the Windows Netlogon Remote Protocol (MS-NRPC) that allows an unauthenticated attacker on a network to take over a Windows Active Directory domain controller in seconds — with no credentials. The flaw arises from the use of AES-CFB8 encryption with an all-zero initialization vector (IV): due to a statistical property of this configuration, sending approximately 256 authentication attempts composed entirely of zero bytes will, on average, succeed in authenticating as any domain computer account — including the domain controller itself.

Once authenticated as the domain controller's computer account, an attacker can set its password to empty, then use standard domain replication (DCSync) to dump all domain credentials — achieving complete domain takeover without needing any existing account.

Note on CVSS score: The NVD CVSS score of 5.5 (Local, PR:L) reflects a narrow technical interpretation. Microsoft's own advisory rated this Critical (CVSS 10.0) — a network-accessible attack requiring no credentials that results in full domain compromise. The security industry widely treats ZeroLogon as a Critical/10.0 vulnerability.

What Is the Windows Netlogon Protocol?

The Netlogon Remote Protocol (MS-NRPC) is a core Windows authentication mechanism used by domain member computers to authenticate to domain controllers, synchronize passwords, and discover domain controller locations. Domain controllers run the Netlogon service and expose it over SMB/RPC (TCP 445 and dynamic RPC ports). Any machine with network access to a domain controller — including domain-joined workstations and servers — can initiate Netlogon sessions.

Affected Versions

The attack targets domain controllers running any affected Windows Server version. Domain member workstations and servers are not directly targeted but enable lateral movement.

Technical Details

Root Cause: AES-CFB8 with Zero Initialization Vector

The Netlogon authentication process (NetrServerAuthenticate3) uses a challenge-response protocol. The server sends a random 8-byte challenge, and the client encrypts a credential using a session key derived from the computer account password. The encryption is AES-CFB8 (Cipher Feedback mode with 8-bit segment size).

The cryptographic flaw: MS-NRPC specifies that the AES-CFB8 IV is always all zeros. Due to a well-known property of AES-CFB8 with a zero IV, there is approximately a 1/256 probability that encrypting an all-zero plaintext produces an all-zero ciphertext. This means:

• The expected credential value (the correct response) is some unknown ciphertext.
• But if the session key happens to produce an all-zero response for all-zero input, the authentication succeeds with a zero credential.
• The attacker simply sends 256 authentication attempts, each with an all-zero credential, and on average one will succeed.

Exploitation: Step by Step

1. Establish a Netlogon secure channel to the target domain controller, spoofing as any domain computer account (or the domain controller's own computer account).
2. Send authentication attempts with all-zero client credentials and all-zero client challenge. After an average of 256 attempts (seconds of work), one succeeds — the server accepts the session.
3. Call NetrServerPasswordSet2 to set the domain controller's computer account password to empty (all zeros).
4. Authenticate to the domain controller using the now-empty computer account password via standard authentication (Impacket's secretsdump, Mimikatz, etc.).
5. Perform DCSync — use the domain replication protocol to dump all Active Directory credentials including the krbtgt account hash, enabling Golden Ticket creation and full domain persistence.

Attack Characteristics

Discovery

Tom Tervoort of Secura BV (Netherlands) discovered the vulnerability. Secura disclosed it to Microsoft in April 2020 under coordinated disclosure. Microsoft patched it in the August 2020 Patch Tuesday (August 11, 2020). Secura published their technical whitepaper on September 11, 2020 — one month after the patch — which immediately triggered public PoC development. Within days, multiple functional PoC exploits were published and CISA issued Emergency Directive 20-04 requiring federal agencies to patch within 3 days.

Exploitation Context

ZeroLogon saw immediate, widespread exploitation following Secura's whitepaper publication:

• Nation-state use: Iranian APT groups (Pioneer Kitten / Fox Kitten, UNC757) used ZeroLogon for initial Active Directory compromise within weeks of PoC release
• Ransomware operators: Multiple ransomware groups incorporated ZeroLogon into their lateral movement playbooks for rapid domain takeover
• CISA ED 20-04: The speed of exploitation prompted one of CISA's fastest-ever emergency directive issuances (72-hour remediation requirement)
• Incomplete mitigation window: Microsoft's patch required a phased rollout — an initial compatibility mode (August 2020 patch) and an enforcement mode (February 2022). Organizations that applied only the initial patch remained partially exposed until enforcement mode was enabled

Remediation

Recommended Actions

1. Apply the August 2020 Patch Tuesday update to all domain controllers immediately. Verify all DCs are patched: wmic qfe list | findstr 4571694 (or KB number for your Windows Server version).

2. Enable enforcement mode. The initial patch introduced a compatibility mode; enforcement mode (blocking vulnerable Netlogon connections) was made default in the February 2022 cumulative update. Verify enforcement is active:

   Event ID 5827 in the System log indicates a vulnerable Netlogon connection was blocked.
   

3. Monitor for ZeroLogon exploitation attempts: Look for Event ID 4742 (computer account password changed) on domain controllers, especially for the domain controller's own computer account. Also monitor for Event IDs 4627/4625 with zero-byte credentials.

4. Rotate the krbtgt account password twice if you suspect compromise — Golden Tickets remain valid until the krbtgt password is rotated (twice to invalidate all tickets based on both old hashes).

5. Audit domain admin group membership and review for unauthorized accounts created during any potential compromise window.

6. Restrict Netlogon access at the network perimeter — domain controllers should not be directly accessible from untrusted network segments. Micro-segmentation of AD infrastructure reduces exposure.