Windows Netlogon Elevation of Privilege Vulnerability
Released: Oct 8, 2024
- Assigning CNA
- Microsoft
- CVE.org link
- CVE-2024-38124
- Impact
- Elevation of Privilege
- Max Severity
- Important
- Weakness
- CVSS Source
- Microsoft
- Vector String
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
- Metrics
- CVSS:3.1 9.0 / 7.8Base score metrics: 9.0 / Temporal score metrics: 7.8
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
Exploit Code Maturity
Unproven
Remediation Level
Official Fix
Report Confidence
Confirmed
Please see Common Vulnerability Scoring System for more information on the definition of these metrics.
Exploitability
The following table provides an exploitability assessment for this vulnerability at the time of original publication.
- Publicly disclosed
- No
- Exploited
- No
- Exploitability assessment
- Exploitation Less Likely
Mitigations
The following mitigating factors might be helpful in your situation:
- Predictable Naming Conventions: Avoid using predictable naming conventions for domain controllers to prevent attackers from renaming their machines to match the next name to be assigned to a new domain controller.
- Secure Channel Validation: Ensure that the secure channel is validated against more than just the computer name of the machine it was delivered to. This can help prevent attackers from impersonating the domain controller by obtaining the handle and waiting for the appointment to happen.
- Monitor for Renaming Activities: Implement monitoring for any suspicious renaming activities of computers within the network. This can help with early detection and prevention of potential attacks.
- Enhanced Authentication Mechanisms: Consider using enhanced authentication mechanisms that go beyond the current validation methods to ensure the authenticity of the domain controller and the secure channel.
FAQ
What privileges could be gained by an attacker who successfully exploited the vulnerability?
An attacker who successfully exploited this vulnerability could gain domain administrator privileges.
According to the CVSS metric, the attack vector is adjacent (AV:A). What does that mean for this vulnerability?
An authenticated attacker could exploit this vulnerability with LAN access.
How could an attacker exploit this vulnerability?
To exploit this vulnerability, an attacker would need to predict the name of a new domain controller and rename their computer to match it. They would then establish a secure channel and keep it active while renaming their computer back to its original name. Once the new domain controller is promoted, the attacker could use the secure channel to impersonate the domain controller and potentially compromise the entire domain.
According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability?
An exploited vulnerability can affect resources beyond the security scope managed by the security authority of the vulnerable component. In this case, the vulnerable component and the impacted component are different and managed by different security authorities.
Acknowledgements
- Paul Miller with Microsoft
Security Updates
To determine the support lifecycle for your software, see the Microsoft Support Lifecycle.
- 6.3.9600.22221
- 6.3.9600.22221
- 6.2.9200.25118
- 6.2.9200.25118
- 6.1.7601.27366
- 6.1.7601.27366
- 6.1.7601.27366
- 6.1.7601.27366
- 6.0.6003.22918
- 6.0.6003.22918
- 6.0.6003.22918
- 6.0.6003.22918
- 6.0.6003.22918
- 6.0.6003.22918
- 6.0.6003.22918
- 6.0.6003.22918
- 10.0.14393.7428
- 10.0.14393.7428
- 10.0.25398.1189
- 10.0.20348.2762
- 10.0.20348.2762
- 10.0.17763.6414
- 10.0.17763.6414
Disclaimer
Revisions
Information published.