KB4571703 doesn't fix ZeroLogon

0

I have a Windows server 2012 R2 and would like to apply the patch to fix ZeroLogon issue (CVE-2020-1472). So I download KB4571703 from Windows Update Catalog, then install it using following steps:

1.expand _f:* “C:\Temp\kb4571703.msu” C:\Temp\kb4571703  
2.cd C:\Temp\kb4571703
3.dism /online /add-package /packagepath:Windows8.1-KB4571703-x64.cab
4.restart-computer

I check the Installed Updates from Control Panel, I can see KB4571703 is installed.

Then, I double-check it by running the script provied by SecuraBV and picuslabs, but whatever I've tried, the script always return message "Success! DC can be fully compromised by a Zerologon attack.", which means the vulnerability still exists!

That was really confused me, so I enable the log of NetLogon to dig into the details, here are some parts of logs:

16:29:10 [CRITICAL] [644] NetrServerAuthenticate: Bad password 0 for Corey-AD-1 on account Corey-AD-1$
16:29:10 [CRITICAL] [644] NetrServerAuthenticate: Bad password 0 for Corey-AD-1 on account Corey-AD-1$
16:29:10 [CRITICAL] [644] NetrServerAuthenticate: Bad password 0 for Corey-AD-1 on account Corey-AD-1$
16:29:10 [CRITICAL] [644] NetrServerAuthenticate: Bad password 0 for Corey-AD-1 on account Corey-AD-1$
16:29:10 [MISC] [644] Eventlog: 5805 (1) "Corey-AD-1" 0xc0000022 2f8270f1 5bc8d5e7 34c3e164 6665df64 .p./...[d..4d.ef
16:29:10 [CRITICAL] [644] NlTransportLookup: \\Corey-AD-1: Cannot NetSessionEnum 2312
16:29:10 [SESSION] [644] NetrServerAuthenticate returns Success: Corey-AD-1 on account Corey-AD-1$ (Negot: 212fffff)

As you can see, the service returns Success at the end, it means the attack was successful. But why? I already patched KB4571703 on my Windows server 2012 R2, what causes this happen?

Update 19/11/2020

I can't find any log with Event ID 5827, 5828, 5829, 5830, and 5831 in Event Viewer > Windows Logs > System after applying the patch KB4571703 or KB4577066.

I can't find the setting "Domain controller: Allow vulnerable Netlogon secure channel connections" in Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options either.

windows-update
windows-server-2012-r2
asked on Super User Nov 18, 2020 by Corey • edited Nov 23, 2020 by Corey

0 Answers

Nobody has answered this question yet.


User contributions licensed under CC BY-SA 3.0