I have a Windows server 2012 R2 and would like to apply the patch to fix ZeroLogon issue (CVE-2020-1472). So I download KB4571703
from Windows Update Catalog, then install it using following steps:
1.expand _f:* “C:\Temp\kb4571703.msu” C:\Temp\kb4571703
2.cd C:\Temp\kb4571703
3.dism /online /add-package /packagepath:Windows8.1-KB4571703-x64.cab
4.restart-computer
I check the Installed Updates from Control Panel, I can see KB4571703
is installed.
Then, I double-check it by running the script provied by SecuraBV and picuslabs, but whatever I've tried, the script always return message "Success! DC can be fully compromised by a Zerologon attack.", which means the vulnerability still exists!
That was really confused me, so I enable the log of NetLogon to dig into the details, here are some parts of logs:
16:29:10 [CRITICAL] [644] NetrServerAuthenticate: Bad password 0 for Corey-AD-1 on account Corey-AD-1$
16:29:10 [CRITICAL] [644] NetrServerAuthenticate: Bad password 0 for Corey-AD-1 on account Corey-AD-1$
16:29:10 [CRITICAL] [644] NetrServerAuthenticate: Bad password 0 for Corey-AD-1 on account Corey-AD-1$
16:29:10 [CRITICAL] [644] NetrServerAuthenticate: Bad password 0 for Corey-AD-1 on account Corey-AD-1$
16:29:10 [MISC] [644] Eventlog: 5805 (1) "Corey-AD-1" 0xc0000022 2f8270f1 5bc8d5e7 34c3e164 6665df64 .p./...[d..4d.ef
16:29:10 [CRITICAL] [644] NlTransportLookup: \\Corey-AD-1: Cannot NetSessionEnum 2312
16:29:10 [SESSION] [644] NetrServerAuthenticate returns Success: Corey-AD-1 on account Corey-AD-1$ (Negot: 212fffff)
As you can see, the service returns Success at the end, it means the attack was successful. But why? I already patched KB4571703
on my Windows server 2012 R2, what causes this happen?
Update 19/11/2020
I can't find any log with Event ID 5827, 5828, 5829, 5830, and 5831 in Event Viewer > Windows Logs > System
after applying the patch KB4571703
or KB4577066
.
I can't find the setting "Domain controller: Allow vulnerable Netlogon secure channel connections" in Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options either.
User contributions licensed under CC BY-SA 3.0