Microsoft Netlogon Protocol CVE-2020-1472
Incident Report for Pulsant Service
On 11th August 2020 Microsoft released the first phase of a two phase patch for vulnerability (CVE-2020-1472) affecting the Netlogon Remote Protocol (also called MS-NRPC) which is an RPC interface that is used exclusively by domain-joined devices. MS-NRPC includes an authentication method and a method of establishing a Netlogon secure channel.

Over the two phases, these updates enforce the specified Netlogon client behaviour to use secure RPC with Netlogon secure channel between member computers and Active Directory (AD) domain controllers (DC).

Affected areas - All Domain controllers, especially where the Netlogon interface is exposed to the internet

Impact to our customers – Medium. The attack vector in most cases will be limited to the internal network. Domain controllers are on an internal network and therefore are not exposed to any potential future exploit of this vulnerability from external sources. The larger concern is the impact of applying the updates to the legacy systems on your network which do not support secure authentication to the domain controller. For this reason we are encouraging customers to take action now and review Microsoft guidance below.

Pulsant actions – We are prioritising applying the updates to any high risk servers which maybe Internet facing. Support teams will continue to work with customers on their patching cycle and support with any concerns around future compatibility with legacy client operating systems.

For further details regarding this vulnerability please follow this link to the Microsoft article CVE-2020-1472 vulnerability

Pulsant recommends that all customers who manage their own servers, follow the guidance detailed in the link above.
Posted Sep 24, 2020 - 16:05 BST
This incident affects: Managed Cloud (Azure, AWS, Pulsant Enterprise Cloud (PEC) Edinburgh, Pulsant Enterprise Cloud (PEC) Milton Keynes, Pulsant Enterprise Cloud (PEC) Newcastle Central, Pulsant Enterprise Cloud (PEC) Newcastle East, Pulsant Enterprise Cloud (PEC) Reading).