My Pulsant
Microsoft Netlogon Protocol CVE-2020-1472
Incident
Report for Pulsant Service
Resolved
This incident has been resolved.
Identified
On 11th August 2020 Microsoft released the first phase of a two phase patch for vulnerability (CVE-2020-1472) affecting the Netlogon Remote Protocol (also called MS-NRPC) which is an RPC interface that is used exclusively by domain-joined devices. MS-NRPC includes an authentication method and a method of establishing a Netlogon secure channel.
Over the two phases, these updates enforce the specified Netlogon client behaviour to use secure RPC with Netlogon secure channel between member computers and Active Directory (AD) domain controllers (DC).
Affected areas - All Domain controllers, especially where the Netlogon interface is exposed to the internet
Impact to our customers – Medium. The attack vector in most cases will be limited to the internal network. Domain controllers are on an internal network and therefore are not exposed to any potential future exploit of this vulnerability from external sources. The larger concern is the impact of applying the updates to the legacy systems on your network which do not support secure authentication to the domain controller. For this reason we are encouraging customers to take action now and review Microsoft guidance below.
Pulsant actions – We are prioritising applying the updates to any high risk servers which maybe Internet facing. Support teams will continue to work with customers on their patching cycle and support with any concerns around future compatibility with legacy client operating systems.
For further details regarding this vulnerability please follow this link to the Microsoft article CVE-2020-1472 vulnerability
Pulsant recommends that all customers who manage their own servers, follow the guidance detailed in the link above.
Over the two phases, these updates enforce the specified Netlogon client behaviour to use secure RPC with Netlogon secure channel between member computers and Active Directory (AD) domain controllers (DC).
Affected areas - All Domain controllers, especially where the Netlogon interface is exposed to the internet
Impact to our customers – Medium. The attack vector in most cases will be limited to the internal network. Domain controllers are on an internal network and therefore are not exposed to any potential future exploit of this vulnerability from external sources. The larger concern is the impact of applying the updates to the legacy systems on your network which do not support secure authentication to the domain controller. For this reason we are encouraging customers to take action now and review Microsoft guidance below.
Pulsant actions – We are prioritising applying the updates to any high risk servers which maybe Internet facing. Support teams will continue to work with customers on their patching cycle and support with any concerns around future compatibility with legacy client operating systems.
For further details regarding this vulnerability please follow this link to the Microsoft article CVE-2020-1472 vulnerability
Pulsant recommends that all customers who manage their own servers, follow the guidance detailed in the link above.
This incident affected: Managed Cloud (Azure, AWS, Pulsant Enterprise Cloud (PEC) Edinburgh, Pulsant Enterprise Cloud (PEC) Milton Keynes, Pulsant Enterprise Cloud (PEC) Newcastle Central, Pulsant Enterprise Cloud (PEC) Newcastle East, Pulsant Enterprise Cloud (PEC) Reading).