Windows Netlogon Elevation of Privilege Vulnerability

Security Vulnerability

Released: Oct 8, 2024

Assigning CNA
Microsoft
CVE.org link
CVE-2024-38124
Impact
Elevation of Privilege
Max Severity
Important
Weakness
CVSS Source
Microsoft
Vector String
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C

Please see Common Vulnerability Scoring System for more information on the definition of these metrics.

Exploitability

The following table provides an exploitability assessment for this vulnerability at the time of original publication.

Publicly disclosed
No
Exploited
No
Exploitability assessment
Exploitation Less Likely

Mitigations

The following mitigating factors might be helpful in your situation:

  • Predictable Naming Conventions: Avoid using predictable naming conventions for domain controllers to prevent attackers from renaming their machines to match the next name to be assigned to a new domain controller.
  • Secure Channel Validation: Ensure that the secure channel is validated against more than just the computer name of the machine it was delivered to. This can help prevent attackers from impersonating the domain controller by obtaining the handle and waiting for the appointment to happen.
  • Monitor for Renaming Activities: Implement monitoring for any suspicious renaming activities of computers within the network. This can help with early detection and prevention of potential attacks.
  • Enhanced Authentication Mechanisms: Consider using enhanced authentication mechanisms that go beyond the current validation methods to ensure the authenticity of the domain controller and the secure channel.

FAQ

What privileges could be gained by an attacker who successfully exploited the vulnerability?

An attacker who successfully exploited this vulnerability could gain domain administrator privileges.

According to the CVSS metric, the attack vector is adjacent (AV:A). What does that mean for this vulnerability?

An authenticated attacker could exploit this vulnerability with LAN access.

How could an attacker exploit this vulnerability?

To exploit this vulnerability, an attacker would need to predict the name of a new domain controller and rename their computer to match it. They would then establish a secure channel and keep it active while renaming their computer back to its original name. Once the new domain controller is promoted, the attacker could use the secure channel to impersonate the domain controller and potentially compromise the entire domain.

According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability?

An exploited vulnerability can affect resources beyond the security scope managed by the security authority of the vulnerable component. In this case, the vulnerable component and the impacted component are different and managed by different security authorities.

Acknowledgements

  • Paul Miller with Microsoft
Microsoft recognizes the efforts of those in the security community who help us protect customers through coordinated vulnerability disclosure. See Acknowledgements for more information.

Security Updates

To determine the support lifecycle for your software, see the Microsoft Support Lifecycle.

Release date Descending

Disclaimer

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions

How satisfied are you with the MSRC Security Update Guide?