5.5 CVE-2020-1472
CISA Kev Catalog Brute Force Used by Malware Used by Ransomware Patch Exploit
An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network.
To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access.
Microsoft is addressing the vulnerability in a phased two-part rollout. These updates address the vulnerability by modifying how Netlogon handles the usage of Netlogon secure channels.
For guidelines on how to manage the changes required for this vulnerability and more information on the phased rollout, see How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472 (updated September 28, 2020).
When the second phase of Windows updates become available in Q1 2021, customers will be notified via a revision to this security vulnerability. If you wish to be notified when these updates are released, we recommend that you register for the security notifications mailer to be alerted of content changes to this advisory. See Microsoft Technical Security Notifications.
https://nvd.nist.gov/vuln/detail/CVE-2020-1472
Categories
CWE-330 : Use of Insufficiently Random Values
When product generates predictable values in a context requiring unpredictability, it may be possible for an attacker to guess the next value that will be generated, and use this guess to impersonate another user or access sensitive information.
References
secure@microsoft.com Patch Exploit
CPE
cpe |
start |
end |
Configuration 1 |
cpe:2.3:o:microsoft:windows_server_1903:*:*:*:*:*:*:*:* |
|
|
cpe:2.3:o:microsoft:windows_server_1909:*:*:*:*:*:*:*:* |
|
|
cpe:2.3:o:microsoft:windows_server_2004:-:*:*:*:*:*:*:* |
|
|
cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:* |
|
|
cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:* |
|
|
cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:* |
|
|
cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:* |
|
|
cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:* |
|
|
cpe:2.3:o:microsoft:windows_server_20h2:-:*:*:*:*:*:*:* |
|
|
Configuration 2 |
cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:* |
|
|
cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:* |
|
|
cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:* |
|
|
Configuration 3 |
cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:* |
|
|
cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:* |
|
|
Configuration 4 |
cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:* |
|
|
cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:* |
|
|
cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:* |
|
|
cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:* |
|
|
cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:* |
|
|
Configuration 5 |
cpe:2.3:a:synology:directory_server:*:*:*:*:*:*:*:* |
|
< 4.4.5-0101 |
Configuration 6 |
cpe:2.3:a:samba:samba:*:*:*:*:*:*:*:* |
|
< 4.10.18 |
cpe:2.3:a:samba:samba:*:*:*:*:*:*:*:* |
>= 4.11.0 |
< 4.11.13 |
cpe:2.3:a:samba:samba:*:*:*:*:*:*:*:* |
>= 4.12.0 |
< 4.12.7 |
Configuration 7 |
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:* |
|
|
Configuration 8 |
cpe:2.3:a:oracle:zfs_storage_appliance_kit:8.8:*:*:*:*:*:*:* |
|
|
REMEDIATION
Patch
EXPLOITS
Exploit-db.com
id |
description |
date |
|
No known exploits |
POC Github
Other Nist (github, ...)
CAPEC
Common Attack Pattern Enumerations and Classifications
id |
description |
severity |
112 |
Brute Force
In this attack, some asset (information, functionality, identity, etc.) is protected by a finite secret value. The attacker attempts to gain access to this asset by using trial-and-error to exhaustively explore all the possible secret values in the hope of finding the secret (or a value that is functionally equivalent) that will unlock the asset. [Determine secret testing procedure] Determine how a potential guess of the secret may be tested. This may be accomplished by comparing some manipulation of the secret to a known value, use of the secret to manipulate some known set of data and determining if the result displays specific characteristics (for example, turning cryptotext into plaintext), or by submitting the secret to some external authority and having the external authority respond as to whether the value was the correct secret. Ideally, the attacker will want to determine the correctness of their guess independently since involvement of an external authority is usually slower and can provide an indication to the defender that a brute-force attack is being attempted. [Reduce search space] Find ways to reduce the secret space. The smaller the attacker can make the space they need to search for the secret value, the greater their chances for success. There are a great many ways in which the search space may be reduced. [Expand victory conditions] It is sometimes possible to expand victory conditions. For example, the attacker might not need to know the exact secret but simply needs a value that produces the same result using a one-way function. While doing this does not reduce the size of the search space, the presence of multiple victory conditions does reduce the likely amount of time that the attacker will need to explore the space before finding a workable value. [Gather information so attack can be performed independently.] If possible, gather the necessary information so a successful search can be determined without consultation of an external authority. This can be accomplished by capturing cryptotext (if the goal is decoding the text) or the encrypted password dictionary (if the goal is learning passwords). |
High |
485 |
Signature Spoofing by Key Recreation
An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker. |
High |
59 |
Session Credential Falsification through Prediction
This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking. [Find Session IDs] The attacker interacts with the target host and finds that session IDs are used to authenticate users. [Characterize IDs] The attacker studies the characteristics of the session ID (size, format, etc.). As a results the attacker finds that legitimate session IDs are predictable. [Match issued IDs] The attacker brute forces different values of session ID and manages to predict a valid session ID. [Use matched Session ID] The attacker uses the falsified session ID to access the target system. |
High |
MITRE
Techniques
id |
description |
T1110 |
Brute Force |
T1552.004 |
Unsecured Credentials: Private Keys |
© 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. |
Mitigations
id |
description |
T1110 |
Proactively reset accounts that are known to be part of breached credentials either immediately, or after detecting bruteforce attempts. |
T1552.004 |
Ensure permissions are properly set on folders containing sensitive private keys to prevent unintended access. Additionally, on Cisco devices, set the `nonexportable` flag during RSA key pair generation. |
© 2022 The MITRE Corporation. Esta obra se reproduce y distribuye con el permiso de The MITRE Corporation. |
Cybersecurity needs ?
Strengthen software security from the outset with our DevSecOps expertise
Integrate security right from the start of the software development cycle for more robust applications and greater customer confidence.
Our team of DevSecOps experts can help you secure your APIs, data pipelines, CI/CD chains, Docker containers and Kubernetes deployments.
Discover this offer