CVE-2020-1472: Microsoft Releases Unusual Two-Phase Patch to Enforce Secure RPC

Microsoft’s August 2020 patch for CVE-2020-1472 - Netlogon Elevation of Privilege Vulnerability could cause future business disruption for organizations that don’t plan for it, especially those with legacy networks.

Microsoft’s August 2020 “Patch Tuesday” releases included a rather unusual two-phase patch to address the high-severity CVE-2020-1472 - Netlogon Elevation of Privilege Vulnerability. 

As Microsoft explains the vulnerability, an unauthenticated actor could “use Microsoft’s Netlogon Remote Protocol (MS-NRPC) to connect to a domain controller to obtain domain administrator access.” The MS-NRPC is primarily used by systems to authenticate to a Windows domain. In Kroll’s investigative experience, threat actors often leverage the access gained through this kind of privilege escalation to harvest passwords, move laterally through a network, and in many cases, exfiltrate sensitive data, commit financial fraud or execute ransomware.

However, Microsoft has taken the unusual step of deploying the patch in two phases. This patching sequence reflects the concern that organizations may be using unsupported or third-party devices with insecure MS-NRPC implementations. Microsoft explained that the phased approach will “ensure that vendors of non-compliant implementations can provide customers with updates.”

Disabling the Netlogon Remote Protocol

Another aspect of this patch worth noting is that Microsoft is not updating a system file to fix the vulnerability but rather is disabling the legacy protocol. In Kroll’s experience and open- and closed-source intelligence, one way that exploits are written, is to compare the old program execution with the patched program execution. The comparison often provides hints about how the old program execution is exploitable. Microsoft’s approach of disabling the legacy protocol will likely reduce the risk of a public exploit being released before the second phase occurs. However, organizations should remain vigilant given the privilege escalation afforded by this vulnerability.

Microsoft is beginning to enforce secure RPC with the initial patch released on August 11, 2020. This first patch can enforce secure RPC on domain controllers, supported Windows systems and trust accounts, but provides organizations with some breathing room to understand the state of their insecure connections. The next phase, which is slated for deployment on February 9, 2021, will require(s) all Windows and non-Windows devices to use secure RPC with the Netlogon secure channel or explicitly allow the account by adding a group policy exception for the non-compliant device.

Beware of Shadow IT System to Avoid Business Disruptions

Organizations that aren’t aware of or prepared for the February 2021 enforcement may experience significant business disruptions. Given the nature of legacy systems and the shadow IT that can arise without IT’s knowledge, we expect many organizations may not be aware of all their devices using insecure MS-NRPC or could be unsure if they use insecure MS-NRPC calls at all. This patch provides a prime opportunity to gauge the organization’s exposure to a severe vulnerability.

Microsoft has provided detailed instructions on how organizations can manage the new Netlogon/RPC changes. Organizations should especially take note of the event log for insecure RPC usage that Microsoft has built into this first patch. The log will provide sysadmins with visibility into whether insecure RPC calls are being used in the environment and potentially upgrade or exclude systems using insecure RPC ahead of time.

While exclusions may be expedient in the short term, Kroll recommends that organizations work with internal teams and vendors to ensure secure RPC implementations are deployed and necessary exceptions are identified in a timely way.