CVE-2020-1472 Overview
CVE-2020-1472, commonly known as "Zerologon," is a critical elevation of privilege vulnerability in the Netlogon Remote Protocol (MS-NRPC) implementation in Microsoft Windows Server domain controllers. This vulnerability allows an unauthenticated attacker with network access to a domain controller to establish a vulnerable Netlogon secure channel connection and ultimately gain domain administrator privileges.
The vulnerability stems from a cryptographic flaw in the Netlogon authentication process where the initialization vector (IV) used in AES-CFB8 encryption is improperly set to all zeros. This allows an attacker to bypass authentication by sending Netlogon messages with a specially crafted client credential that contains only zeroes, which has a probability of success of approximately 1 in 256 attempts.
Critical Impact
Successful exploitation allows unauthenticated attackers to gain complete domain administrator access, enabling them to take full control of the Active Directory domain including all connected systems, user accounts, and sensitive data.
Affected Products
- Microsoft Windows Server 2008 R2 SP1
- Microsoft Windows Server 2012 / 2012 R2
- Microsoft Windows Server 2016
- Microsoft Windows Server 2019
- Microsoft Windows Server versions 1903, 1909, 2004, 20H2
- Samba (when used as domain controller)
- Fedora Project Fedora 31, 32, 33
- openSUSE Leap 15.1, 15.2
- Canonical Ubuntu Linux 14.04, 16.04, 18.04, 20.04
- Synology Directory Server
- Debian Linux 9.0
- Oracle ZFS Storage Appliance Kit 8.8
Discovery Timeline
- August 17, 2020 - CVE-2020-1472 published to NVD
- February 23, 2026 - Last updated in NVD database
Technical Details for CVE-2020-1472
Vulnerability Analysis
The Zerologon vulnerability exploits a fundamental weakness in the cryptographic implementation of the Netlogon Remote Protocol (MS-NRPC). When a client authenticates to a domain controller, the protocol uses AES-CFB8 encryption to protect the handshake process. However, Microsoft's implementation uses a static initialization vector (IV) of all zeros for this encryption.
In AES-CFB8 mode with a zero IV, there exists a mathematical probability that when the plaintext input is all zeros, the resulting ciphertext will also be all zeros. This occurs approximately once in every 256 encryption operations. An attacker can exploit this by repeatedly sending authentication attempts with a client credential of all zeros until the server accepts the authentication, which typically requires fewer than 256 attempts.
Once authenticated, the attacker can use the Netlogon RPC function NetrServerPasswordSet2 to set the computer account password of the domain controller to a known value (including an empty password). This effectively allows the attacker to impersonate the domain controller and extract all domain credentials from the Active Directory database.
The vulnerability is particularly dangerous because it requires no prior authentication, no user interaction, and can be exploited quickly from any network position that can reach the domain controller's RPC port (typically TCP 135 and dynamic RPC ports).
Root Cause
The root cause of CVE-2020-1472 is the improper use of AES-CFB8 encryption with a static all-zero initialization vector in the Netlogon authentication handshake. Secure cryptographic implementations require unique, unpredictable IVs for each encryption operation to prevent statistical attacks. By using a predictable zero IV, the implementation created a scenario where specific input patterns produce predictable outputs, enabling authentication bypass.
Attack Vector
The attack is executed over the network against domain controllers running the Netlogon service. An unauthenticated attacker with network connectivity to the domain controller can perform the following attack sequence:
- The attacker initiates multiple Netlogon authentication attempts using all-zero client credentials
- After approximately 256 attempts on average, the authentication succeeds due to the cryptographic weakness
- The attacker then calls NetrServerPasswordSet2 to change the domain controller's machine account password
- With control of the DC machine account, the attacker can perform DCSync operations to extract all password hashes from Active Directory
- Using the extracted credentials, the attacker gains complete domain administrator access
The attack can be completed in seconds and leaves minimal forensic evidence if not properly monitored.
Detection Methods for CVE-2020-1472
Indicators of Compromise
- Unexpected Netlogon authentication failures followed by sudden success patterns in Windows Security Event logs (Event ID 4742)
- Domain controller computer account password changes recorded in Event ID 4742 where the subject is not a legitimate administrator
- Anomalous network traffic to domain controllers on RPC ports (TCP 135, 49152-65535) from unexpected internal hosts
- Evidence of DCSync operations or NTDS.dit extraction attempts following a Zerologon attack
Detection Strategies
- Enable and monitor Windows Security Event ID 5829 which specifically logs vulnerable Netlogon connections using the insecure protocol
- Implement network-based detection for repeated Netlogon authentication attempts from the same source in rapid succession
- Deploy behavioral analytics to identify unusual domain controller machine account modifications
- Monitor for abnormal use of Netlogon RPC functions, particularly NetrServerPasswordSet2 calls
Monitoring Recommendations
- Configure Windows Event Forwarding to centralize Domain Controller security logs for analysis
- Enable verbose Netlogon logging via HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DBFlag set to 0x2080FFFF
- Implement network segmentation monitoring to detect unauthorized access attempts to domain controllers
- Establish baselines for legitimate Netlogon traffic patterns and alert on significant deviations
How to Mitigate CVE-2020-1472
Immediate Actions Required
- Apply the August 2020 Microsoft security update immediately on all domain controllers as the first priority
- Enable enforcement mode for secure RPC by setting the FullSecureChannelProtection registry value to 1 under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
- Audit all devices in the domain for Netlogon secure channel compatibility and address any legacy systems that cannot use secure RPC
- For Samba deployments, upgrade to patched versions and set server schannel = yes in smb.conf
- Restrict network access to domain controllers from untrusted network segments
Patch Information
Microsoft addressed CVE-2020-1472 through a phased two-part rollout. The initial patch released in August 2020 introduced detection capabilities and optional enforcement. The second phase, released in February 2021, enforces secure RPC for all Windows devices by default. Organizations should apply both update phases and verify that enforcement mode is active on all domain controllers.
For detailed patch information, consult the Microsoft CVE-2020-1472 Advisory and the CERT VU #490028 advisory.
Linux distributions running Samba as a domain controller should apply distribution-specific patches referenced in the Debian LTS Security Announcement, Ubuntu Security Notices (USN 4510-1, USN 4510-2, USN 4559-1), and Gentoo GLSA 202012-24.
Workarounds
- If immediate patching is not possible, implement network-level restrictions to limit Netlogon RPC access to only trusted and necessary systems
- Deploy firewall rules to block RPC traffic (TCP 135 and dynamic ports 49152-65535) to domain controllers from untrusted segments
- Monitor for Event ID 5829 to identify devices attempting vulnerable Netlogon connections and prioritize their remediation
- Consider temporarily isolating legacy systems that cannot be patched and evaluate their necessity in the domain environment
# Enable Netlogon secure channel enforcement on Windows Server
reg add "HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" /v FullSecureChannelProtection /t REG_DWORD /d 1 /f
# Enable verbose Netlogon debugging for monitoring
reg add "HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" /v DBFlag /t REG_DWORD /d 0x2080FFFF /f
# Samba configuration to enforce secure channel
# Add to smb.conf under [global]:
# server schannel = yes
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
