Jump to content

IDS did not block attacker IP in 2008R2


Recommended Posts

Hi Dears.

We find s.th in file security v7 - 7.2 .

If attacker blocked by IDS ( for Example Zerologon attack ) Ip will not block for 1 hour !

is this a bug or a problem in 2008R2 ?

 

Best regards.

IDS.jpg

Link to post
Share on other sites
  • Administrators

Not sure if I understand. According to the screen shot the IP address 192.168.235.1 was blocked. However, the second screen shot where you ran ping seems unrelated because you pinged 192.168.235.132. If you tried to ping this machine from 192.168.235.1 you should get no response to ping.

Link to post
Share on other sites
25 minutes ago, Marcos said:

Not sure if I understand. According to the screen shot the IP address 192.168.235.1 was blocked. However, the second screen shot where you ran ping seems unrelated because you pinged 192.168.235.132. If you tried to ping this machine from 192.168.235.1 you should get no response to ping.

192.168.235.1 is the attacker and CMD is from attacker PC. Attacker PC is my PC and Server is a VM. these two windows mix in one screen. 😊

Link to post
Share on other sites

About CVE-2020-1472:

Quote

CVE-2020-1472 | Netlogon Elevation of Privilege Vulnerability

Security Vulnerability

Published: 08/11/2020 | Last Updated : 09/28/2020
MITRE CVE-2020-1472

An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network.

To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access.

Microsoft is addressing the vulnerability in a phased two-part rollout. These updates address the vulnerability by modifying how Netlogon handles the usage of Netlogon secure channels.

For guidelines on how to manage the changes required for this vulnerability and more information on the phased rollout, see How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472 (updated September 28, 2020).

When the second phase of Windows updates become available in Q1 2021, customers will be notified via a revision to this security vulnerability. If you wish to be notified when these updates are released, we recommend that you register for the security notifications mailer to be alerted of content changes to this advisory. See Microsoft Technical Security Notifications.

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472

My best guess is Eset IDS is not currently capable of blocking the attacker IP address for this type of attack. Appears most of those are set up for SMB related vulnerabilities. So it instead blocked access to the targeted IP address.

 

Edited by itman
Link to post
Share on other sites
2 minutes ago, itman said:

About CVE-2020-1472:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472

My best guess is Eset IDS is not currently capable of blocking the attacker IP address for this type of attack. Appears most of those are set up for SMB related vulnerabilities. So it instead blocked access to the targeted IP address.

 

Dear ITMan , This problem is just in 2008 R2 ,

In 2012 , 2016 , 2019 , ESET IDS Detect CVE-2020-1472 , and The Attacker ip Blocked ! while other Security vendors like kaspersky , bitdefender and mcaffe ( As we tested ) did not detect this attack.

we use picuslabs tool for this attack test . https://github.com/picussecurity/picuslabs/tree/master/CVE-2020-1472 Zerologon

Also we test Other CVE-2020-1472 scripts and the result was the same as picuslabs tools.

the Question is why at 2008 R2 Attack is blocked but attacker IP not blocked even when it is listed in Blacklist IP list ?

Link to post
Share on other sites
3 minutes ago, itman said:

Did you verify that Network Protection is enabled?

Eset_FS.thumb.png.f7fffb055662e0a70d43fc34ead4d8ff.png

Yes Dear , As you can see in the picture we have Network section and attack is detected and Attacker Ip is listed in Black list of IDS.

Link to post
Share on other sites
39 minutes ago, kamiran.asia said:

In 2012 , 2016 , 2019 , ESET IDS Detect CVE-2020-1472 , and The Attacker ip Blocked !

I assume what you mean here is your pinging activity from the source client device was blocked to all servers other than the 2008 R2 one?

Did you try to connect to the 2008 R2 server other than using ping?

Edited by itman
Link to post
Share on other sites
10 minutes ago, itman said:

I assume what you mean here is your pinging activity from the source client device was blocked to all servers other than the 2008 R2 one?

Did you try to connect to the 2008 R2 server other than using ping?

No Dear , Problem is Why IDS in 2008R2 did not block communication from attacker ip . attack will block but communication will not block for 1 hour for attacker IP. So hacker can attack over and over again.

As you know when IDS block an IP address , All communications is block for 1 hour ( Ping , ... )

It seems that it is a bug or may be a lake of security in 2008 R2.

Link to post
Share on other sites
6 hours ago, itman said:

I am assuming that you have not purchased an ESU for the 2008R2 server? This is why it has not been patched?

Personally, I wouldn't rely 100% on Eset IDS protection for this vulnerability. You might want to check this out: https://blog.0patch.com/2020/09/micropatch-for-zerologon-perfect.html

As our test in our company ESET IDS can block Zerologon as this detection and block attacker IP for 1 hour :

 

ESET_ZeroLogon.jpg

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...