Microsoft released a new security advisory covering PetitPotam. According to Microsoft this classic NTLM Relay Attack however when exploited it can lead to a domain takeover by forcing the domain controller to authenticate with a malicious destination.
Microsoft is going through a rough patch, as PetitPotam is the third major Windows security issue disclosed over the past month after the PrintNightmare and SeriousSAM vulnerabilities.
PetitPotam was disclosed last week by security researcher Gilles Lionel. In his GitHub, he explains how he was able to "coerce Windows hosts to authenticate to other machines via MS-EFSRPC EfsRpcOpenFileRaw function."
The Encrypting File System Remote (EFSRPC) Protocol is a protocol used for maintenance and management operations on encrypted data that is stored remotely and accessed over a network. It is frequently used to manage files on remote file servers that are encrypted using the Encrypting File System (EFS).
The specifics detail how the attack allows a domain controller to authenticate against a remote NTLM under an attacker's control using MS-EFSRPC.
Hi all,
MS-RPRN to coerce machine authentication is great but the service is often disabled nowadays by admins on most orgz.
Here is one another way we use to elicit machine account auth via MS-EFSRPC. Enjoy!!
— topotam (@topotam77) July 18, 2021
Microsoft released an advisory with additional details on how to mitigate these types of attacks. The preferred mitigation is to disable NTLM authentication in your domain altogether. To do this, you can follow the steps in the Microsoft documentation Network security: Restrict NTLM: NTLM authentication in this domain.
The other mitigations suggested if you are unable to disable NTLM on your domain for compatibility reasons are as follows. They are listed in order of more secure to less secure:
To mitigate against various NTLM relay attacks, disable NTLM where not needed (eg DCs) or implement the mitigation feature, Extended Protection for Authentication.
— Security Response (@msftsecresponse) July 24, 2021
On a Lansweeper related note, NTLM is used as a fallback method to Kerberos. So in most scenarios, disabling NTLM should have no impact on Lansweeper scanning.
While this attack can be targetted on any server, domain controllers will likely be favored by attackers, with Lansweeper you can easily get an overview of all your servers including their details and roles. This way you can see find all your servers and which of them are domain controllers so you know where to take action.
In August's patch Tuesday, Microsoft released a fix for CVE-2021-36942 which is associated with this vulnerability. If you want to rest a little easier, it is best you update your domain controllers to the Microsoft updates from the August patch Tuesday or higher. You can use our August patch Tuesday Report to check if your Windows machines have been updated.
© Copyright 2000-2023 COGITO SOFTWARE CO.,LTD. All rights reserved
