CISA Urges Businesses to Patch Domain Controller Netlogon Flaw

• CISA is aware of active exploitation of Netlogon bug
• A remote attacker can exploit the vulnerability to breach unpatched Active Directory domain controllers and obtain domain administrator access
• Agency urges admins to applyi patches from Microsoft’s August 2020 Security Advisory for CVE-2020-1472

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory urging businesses to patch a critical vulnerability in the Microsoft Netlogon Remote Protocol. The reason? Malicious actors have knitted together some exploit code for it.

Netlogon is a Windows Server process that continuously runs in the background and authenticates users and other services within a domain.

CISA has been warning about the flaw for a while now, yet organizations are notoriously slow to deploy patches, even for flaws with a high CVSS score. Thus, the agency has released a new advisory, warning of exploit code in the wild for this particular bug – hence, the urgency to deploy the fixes.

“The Cybersecurity and Infrastructure Security Agency (CISA) is aware of active exploitation of CVE-2020-1472, an elevation of privilege vulnerability in Microsoft’s Netlogon. A remote attacker can exploit this vulnerability to breach unpatched Active Directory domain controllers and obtain domain administrator access. Applying patches from Microsoft’s August 2020 Security Advisory for CVE-2020-1472 can prevent exploitation of this vulnerability,” reads the advisory.

IT administrators seeking to detect whether their organization is vulnerable can use CISA’s handy patch validation script.

“CISA urges administrators to patch all domain controllers immediately—until every domain controller is updated, the entire infrastructure remains vulnerable,” the agency warns.

Administrators can find additional resources about the flaw, as well as mitigation steps, here.