IDS did not block attacker IP in 2008R2

[kamiran.asia 5]

Hi Dears.

We find s.th in file security v7 - 7.2 .

If attacker blocked by IDS ( for Example Zerologon attack ) Ip will not block for 1 hour !

is this a bug or a problem in 2008R2 ?

 

Best regards.

[Marcos 5,074]

Not sure if I understand. According to the screen shot the IP address 192.168.235.1 was blocked. However, the second screen shot where you ran ping seems unrelated because you pinged 192.168.235.132. If you tried to ping this machine from 192.168.235.1 you should get no response to ping.

[kamiran.asia 5]

25 minutes ago, Marcos said:

Not sure if I understand. According to the screen shot the IP address 192.168.235.1 was blocked. However, the second screen shot where you ran ping seems unrelated because you pinged 192.168.235.132. If you tried to ping this machine from 192.168.235.1 you should get no response to ping.

192.168.235.1 is the attacker and CMD is from attacker PC. Attacker PC is my PC and Server is a VM. these two windows mix in one screen. 😊

[kamiran.asia 5]

Full Screen Shot ...

Attacker Pc : 192.168.235.1

Server : 192.168.235.132

 

 

Edited October 26, 2020 by kamiran.asia

[itman 1,659]

About CVE-2020-1472:

Quote

CVE-2020-1472 | Netlogon Elevation of Privilege Vulnerability

Security Vulnerability

Published: 08/11/2020 | Last Updated : 09/28/2020
MITRE CVE-2020-1472

An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network.

To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access.

Microsoft is addressing the vulnerability in a phased two-part rollout. These updates address the vulnerability by modifying how Netlogon handles the usage of Netlogon secure channels.

For guidelines on how to manage the changes required for this vulnerability and more information on the phased rollout, see How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472 (updated September 28, 2020).

When the second phase of Windows updates become available in Q1 2021, customers will be notified via a revision to this security vulnerability. If you wish to be notified when these updates are released, we recommend that you register for the security notifications mailer to be alerted of content changes to this advisory. See Microsoft Technical Security Notifications.

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472

My best guess is Eset IDS is not currently capable of blocking the attacker IP address for this type of attack. Appears most of those are set up for SMB related vulnerabilities. So it instead blocked access to the targeted IP address.

 

Edited October 26, 2020 by itman

[kamiran.asia 5]

2 minutes ago, itman said:

About CVE-2020-1472:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472

My best guess is Eset IDS is not currently capable of blocking the attacker IP address for this type of attack. Appears most of those are set up for SMB related vulnerabilities. So it instead blocked access to the targeted IP address.

 

Dear ITMan , This problem is just in 2008 R2 ,

In 2012 , 2016 , 2019 , ESET IDS Detect CVE-2020-1472 , and The Attacker ip Blocked ! while other Security vendors like kaspersky , bitdefender and mcaffe ( As we tested ) did not detect this attack.

we use picuslabs tool for this attack test . https://github.com/picussecurity/picuslabs/tree/master/CVE-2020-1472 Zerologon

Also we test Other CVE-2020-1472 scripts and the result was the same as picuslabs tools.

the Question is why at 2008 R2 Attack is blocked but attacker IP not blocked even when it is listed in Blacklist IP list ?

[itman 1,659]

6 minutes ago, kamiran.asia said:

This problem is just in 2008 R2

Did you verify that Network Protection is enabled?

[kamiran.asia 5]

3 minutes ago, itman said:

Did you verify that Network Protection is enabled?

Yes Dear , As you can see in the picture we have Network section and attack is detected and Attacker Ip is listed in Black list of IDS.

[itman 1,659]

39 minutes ago, kamiran.asia said:

In 2012 , 2016 , 2019 , ESET IDS Detect CVE-2020-1472 , and The Attacker ip Blocked !

I assume what you mean here is your pinging activity from the source client device was blocked to all servers other than the 2008 R2 one?

Did you try to connect to the 2008 R2 server other than using ping?

Edited October 26, 2020 by itman

[kamiran.asia 5]

10 minutes ago, itman said:

I assume what you mean here is your pinging activity from the source client device was blocked to all servers other than the 2008 R2 one?

Did you try to connect to the 2008 R2 server other than using ping?

No Dear , Problem is Why IDS in 2008R2 did not block communication from attacker ip . attack will block but communication will not block for 1 hour for attacker IP. So hacker can attack over and over again.

As you know when IDS block an IP address , All communications is block for 1 hour ( Ping , ... )

It seems that it is a bug or may be a lake of security in 2008 R2.

[itman 1,659]

I am assuming that you have not purchased an ESU for the 2008R2 server? This is why it has not been patched?

Personally, I wouldn't rely 100% on Eset IDS protection for this vulnerability. You might want to check this out: https://blog.0patch.com/2020/09/micropatch-for-zerologon-perfect.html

[kamiran.asia 5]

6 hours ago, itman said:

I am assuming that you have not purchased an ESU for the 2008R2 server? This is why it has not been patched?

Personally, I wouldn't rely 100% on Eset IDS protection for this vulnerability. You might want to check this out: https://blog.0patch.com/2020/09/micropatch-for-zerologon-perfect.html

As our test in our company ESET IDS can block Zerologon as this detection and block attacker IP for 1 hour :