Netlogon and sudo vulnerabilities – Get them fixed using Remedy Cloud
This Remedy Report blog post provides easy access to curated remedies and fixes for the Netlogon and sudo vulnerabilities. These two security vulnerabilities, CVE-2021-3156 (sudo buffer overflow vulnerability) and CVE-2020-1472 (Netlogon remote protocol vulnerability), were two of the most-popular vulnerabilities on Remedy Cloud in the last couple of months based on user searches and page views.
Vulcan Cyber is in the business of getting fix done through vulnerability remediation orchestration. We go beyond simple vulnerability scanning and prioritization to help IT security professionals quickly find the best remedies for the vulnerabilities that need to be addressed in their environments.
Vulcan Remedy Cloud is the world’s largest database of remedies and fixes for the thousands of cyber security vulnerabilities that cross the desks of IT security professionals every year. We love to see how much value infosec practitioners are getting out of Remedy Cloud these days. It provides a much-needed, free service where we do the job of finding and curating the best remedies for the vulnerabilities that ail you, so you don’t have to.
As an additional service to the IT security industry, we share monthly Remedy Cloud usage trend data, completely anonymized of course. We will highlight trend analytics such as “most-searched CVEs” and “most-visited vulnerability remedies.”
This Remedy Report blog post summarizes the two most popular CVE searches in Remedy Cloud during the last 60 days, both of which leave systems vulnerable to unauthorized privilege escalation:
- CVE-2021-3156: Sudo buffer overflow vulnerability
- CVE-2020-1472: Netlogon Remote Protocol vulnerability
What is the CVE-2021-3156 vulnerability?
This sudo heap-based buffer overflow vulnerability allows privilege escalation to root via the command sudoedit -s and a command-line argument that ends with a single backslash character. CVE-2021-3156 was first published in the National Vulnerability Database (NVD) on January 26, 2021, but according to security firm Qualys, the issue was introduced as far back as July 2011.
The vulnerability’s high severity CVSS score is based on its easily accessible attack vector (local), low attack complexity, low privileges required, no need for user interaction, and its high impact on confidentiality, integrity, and availability.
This isn’t the first time we’ve seen a vulnerability related to the sudo command. We dedicated an entire blog post to understanding both sudo vulns, titled “Fix the Sudo Command Vulnerability, Again.” Check it out for more detailed info on how to fix CVE-2019-14287 and CVE-2021-3156.
Does CVE-2021-3156 affect me?
Given its long tail, this vulnerability will affect you if you are using the following sudo package versions:
- All legacy versions from 1.8.2 to 1.8.31p2
- All stable versions from 1.9.0 to 1.9.5p1 in their default configuration
Has CVE-2021-3156 been actively exploited in the wild?
Dubbed “Baron Samedit,” this vulnerability has high potential for exploitability. The Qualys research team that identified the vulnerability were able to develop multiple successful exploits for three leading Linux vendors: Ubuntu, Debian, and Fedora. ZDNet reports that botnets targeting Linux systems through brute-force attacks could abuse the vulnerability in the second stage of an attack by leveraging low-level service accounts to gain root access and full control over a compromised server.
How do I remediate CVE-2021-3156?
Now that a patched version is available (1.9.5p2), the best way to remediate is to search CVE-2021-3156 in Remedy Cloud for the relevant version update(s) using the OS and VERSION filters for TYPE “Version Update.” The fix will provide all the information necessary to download and deploy the update. We’ve recently shared our thoughts on this Sudo command vulnerability in a blog post. Make sure to read more if you want to dive into more details.
What is the CVE-2020-1472 vulnerability?
First published by Microsoft in the National Vulnerability Database (NVD) on August 17, 2020, the CVE-2020-1472 vulnerability, also known as the Zerologon vulnerability, allows an attacker to gain elevated privileges by leveraging the Netlogon Remote Protocol (MS-NRPC) to establish a vulnerable Netlogon secure channel connection to a domain controller.
The vulnerability has the highest CVSS severity score possible (10), based on its:
- Easily accessible attack vector (Network)
- Low attack complexity
- No requirements for privileges or user interaction
- High impact on confidentiality, integrity, and availability
Does CVE-2020-1472 affect me?
According to Kaspersky, CVE-2020-1472 exposes networks that are based on domain controllers running under Windows. As reported by Microsoft, CVE-2020-1472 affects the following Window Server products:
|Windows Server 2019||All editions|
|Windows Server 2016|
|Windows Server||Version 1909, all editions
Version 1903, all editions
Version 1809 (Datacenter, Standard)
|Windows Server 2012 R2|
|Windows Server 2012|
|Windows Server 2008 R2||Service Pack 1|
Has CVE-2020-1472 been actively exploited in the wild?
No active exploits have been reported, but security company Rapid7 notes that there are multiple public PoC exploits available both for Windows and Samba domain controllers. Security experts deem the authentication bypass exploit can be easily weaponized for attacker operations, including ransomware and other malware.
How do I remediate CVE-2020-1472?
Remedy Cloud offers a total of 135 Version Update fixes, but you can easily narrow that down to the fixes relevant to your environment by using the OS and Version search filters.
Get fix done with the Vulcan Cyber vulnerability remediation orchestration platform. The Remedy Cloud library is available to use free of charge. Request a demo or request access to Vulcan Free for vulnerability prioritization.