Microsoft's mitigations of Windows PetitPotam NTLM relay attacks

Windows[German]Yesterday, July 24, 2021, I had reported about a new attack vector called PetitPotam that can be used to take over Windows domain controllers by means of an NTLM relay attack (see my post PetitPotam attack allows Windows domain takeover). In the meantime, Microsoft has reacted and published a security advisory about this security issue. At the same time, Microsoft makes suggestions on how this vulnerability can be mitigated by administrators. Let me summarize the most important information.


Advertising

Microsoft PetitPotam security advisory

German blog reader Carsten already pointed out in this comment last night (thanks for that) that Microsoft had released something regarding PetitPotam. At the same time I received a mail from Microsoft with the following content as a security notice.

******************************************************
Title: Microsoft Security Update Revisions
Issued: July 24, 2021
******************************************************

Summary
=======

The following advisory and CVE have undergone major revision increments.

====================================================

The following advisory has been published to the Security Update Guide:

* ADV210003

ADV210003 | Mitigating NTLM Relay Attacks on Active Directory Certificate
   Services (AD CS)
– Version: 1.0
– Reason for Revision: Information published.
– Originally posted: July 24, 2021
– Updated: N/A
– Aggregate CVE Severity Rating: N/A

Under ADV210003, Microsoft addresses the vulnerability that allows NTLM relay attacks on Active Directory certificates and writes something about mitigation, i.e., a weakening of the attack vector.

The PetitPotam vulnerability

I had already briefly outlined the attack vector in the blog post PetitPotam attack allows Windows domain takeover. Now the Microsoft security advisory ADV210003 provides confirmation that Microsoft sees a vulnerability there. It states:

Microsoft is aware of PetitPotam which can potentially be used in an attack on Windows domain controllers or other Windows servers. PetitPotam is a classic NTLM Relay Attack, and such attacks have been previously documented by Microsoft along with numerous mitigation options to protect customers. For example, see Microsoft Security Advisory 974926.

So Microsoft confirms the PetitPotam vulnerability via classic NTLM relay attacks, but such attacks have been previously documented by Microsoft along with numerous mitigation options to protect customers. For example, see Advisory 974926 from 2009. Affected by this vulnerability are:

  • Windows Server 2008
  • Windows Server 2008 R2
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows Server 2016
  • Windows Server 2019
  • Windows Server 2004
  • Windows Server 20H2

Regarding the exact variants, I refer to the list in ADV210003.


Advertising

Microsoft's workaround to mitigate PetitPotam

In security advisory ADV210003 Microsoft gives the following advice to prevent systems against PetitPotam attacks using NTLM relay attacks in networks with NTLM enabled:

To prevent NTLM Relay Attacks on networks with NTLM enabled, domain administrators must ensure that services that permit NTLM authentication make use of protections such as Extended Protection for Authentication (EPA) or signing features such as SMB signing. PetitPotam takes advantage of servers where Active Directory Certificate Services (AD CS) is not configured with protections for NTLM Relay Attacks. The mitigations outlined in KB5005413 instruct customers on how to protect their AD CS servers from such attacks.

You are potentially vulnerable to this attack if NTLM authentication is enabled in your domain and you are using Active Directory Certificate Services (AD CS) with any of the following services:

  • Certificate Authority Web Enrollment
  • Certificate Enrollment Web Service

So it's possible to mitigate your systems against a PetitPotam attack.

Similar articles:
PetitPotam attack allows Windows domain takeover
HiveNightmare: New details about Windows vulnerability CVE-2021-36934
News about Windows 10 vulnerability HiveNightmare
PrintNightmare: Point-and-Print allows installation of arbitrary files


Advertising

This entry was posted in Security, Windows and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).