ALERT: Update Windows Server ASAP for critical Netlogon RPC vulnerability

Monday, September 21, 2020

The information below was sent to U-M IT groups on September 21, 2020. It is intended for U-M IT staff who are responsible for Windows Servers with the domain controller role.

Summary

Exploit code for a critical Microsoft Netlogon Remote Protocol (MS-RPC) vulnerability is now publicly available according to the Cybersecurity and Infrastructure Security Agency (CISA). CISA has issued an emergency directive for the vulnerability, underscoring the urgency of addressing it as soon as possible. Microsoft addresses the vulnerability in its August 2020 Security Update. If you have not yet applied the August 2020 Security Update to machines running Windows Server with the domain controller role, do so as soon as possible after appropriate testing. If affected domain controllers cannot be updated, remove them from the network until the update can be applied.

Problem

According to Forbes, "CVE-2020-1472 is about as serious as it gets, hence the maximum 10 Common Vulnerability Scoring System (CVSS) rating and the critical severity that Microsoft has attached to it. The vulnerability itself opens the doors for an attacker already inside the network to access the Windows Server Active Directory domain controller."

Affected Versions

All versions of Windows Server with the domain controller role. This includes read-only domain controllers.

Action Items

The August update is the first in a two-phase mitigation of the vulnerability. Microsoft expects to release a further update in February 2021 that will require "all Windows and non-Windows devices to use secure RPC with Netlogon secure channel or explicitly allow the account by adding an exception for the non-compliant device."

Threats

Exploit code is publicly available. This increases the likelihood of the vulnerability being exploited on any unpatched version of Windows Server with the domain controller role.

Technical Details

The updates address the vulnerability by modifying how Netlogon handles the use of Netlogon secure channels. To provide Active Directory forest protection, all domain controllers must be updated so that they will enforce secure RPC with a Netlogon secure channel. This includes read-only domain controllers.

How We Protect U-M

  • ITS Information Assurance (IA) monitors a number of sources for information about new vulnerabilities and threats and provides up-to-date information to the university community.
  • IA performs regular vulnerability scans of university networks to identify vulnerable devices and request remediation.
  • IA provides vulnerability management guidance to the university.
  • ITS updates MiWorkspace and MiServer managed machines as soon as possible after appropriate testing.

Information for Users

This vulnerability affects servers, not personal computers. Most users do not need to do anything.

Questions, Concerns, Reports

Please contact info-assurance@umich.edu.

References