What are the technical specifics of the issue?
Microsoft, in its August 2020 Patch Tuesday release, disclosed details on CVE-2020-1472, which is a Privilege Escalation vulnerability in the Netlogon Remote Protocol. If successfully exploited, this vulnerability would allow for an attacker to run a specially crafted payload on a networked host against a domain controller to obtain domain administrator access. Security researchers have released several proof of concept scripts which can successfully exploit this vulnerability.
See also
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472
- https://www.secura.com/blog/zero-logon
- https://nakedsecurity.sophos.com/2020/09/17/zerologon-hacking-windows-servers-with-a-bunch-of-zeros/
How are Sophos customers protected?
Various Sophos products can mitigate the vulnerability using IPS. There is no action required for Sophos customers as IPS signatures are automatically deployed.
Sophos MTR customers have already been advised of this issue. The Sophos MTR team is monitoring for ongoing activity and for networking attempts to exploit this vulnerability.
Sophos recommends that customers follow Microsoft's recommendation and apply the official August 2020 patch.
XG Firewall
- IPS signatures were published on September 16, 2020
- SIDs are 2303764, 2303765, 2303768, 2303769
Endpoint and Server IPS
These products are currently in Early Access.
- IPS signatures were published on September 17, 2020
- SIDs are 2303764, 2303765, 2303768, 2303769
SG UTM
- IPS signatures were published on September 21, 2020
- SIDs are 55703, 55704