How to Mitigate the Netlogon Elevation of Privilege Vulnerability (Single Sign-on through Windows Authentication) - CVE-2020-1472

  • 7024851
  • 05-Oct-2020
  • 07-Oct-2020

Environment

Customers who use Single Sign-on through Windows Authentication with any of these products:
  • Host Access Management and Security Server (MSS) - all versions

  • Host Access for the Cloud - all versions

  • Reflection for the Web - all versions

  • Micro Focus Desktop clients (Reflection, InfoConnect, Rumba+) that are managed with Management and Security Server (MSS)

Situation

Customers using Single Sign-on through Windows to authenticate to Host Access Management and Security Server (MSS) are subject to the “Netlogon Elevation of Privilege Vulnerability” (CVE 2020-1472).

According to NIST, “An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC), aka 'Netlogon Elevation of Privilege Vulnerability’.”

Microsoft published guidance on how to manage the changes in Netlogon secure channel connections associated with this CVE. The first step is to update your Domain Controllers.

Unfortunately, after updating your Domain Controllers, MSS’s authentication implementation of “Single Sign-on through Windows authentication” will no longer function.

Resolution

To mitigate the “Netlogon Elevation of Privilege Vulnerability” and its relationship with Host Access Management and Security Server (MSS), use a different authentication method.

Instead of using “Single Sign-on through Windows Authentication, choose one of these methods in Host Access Management and Security Server (MSS Administrative Console):

  • LDAP

  • SAML*

  • Single Sign-on through IIS* (available only for Host Access for the Cloud or Reflection for the Web)

  • X.509

  • SiteMinder

* recommended for a Single Sign-on experience

NOTE: SAML Authentication will be available in Reflection for the Web version 13.2. If you prefer to use SAML with the current (13.1) release, contact Support for more information.

Status

Security Alert

Additional Information

Feedback service temporarily unavailable. For content questions or problems, please contact Support.