Microsoft released a new security advisory covering PetitPotam. According to Microsoft this classic NTLM Relay Attack however when exploited it can lead to a domain takeover by forcing the domain controller to authenticate with a malicious destination.
Microsoft is going through a rough patch, as PetitPotam is the third major Windows security issue disclosed over the past month after the PrintNightmare and SeriousSAM vulnerabilities.
What is PetitPotam?
PetitPotam was disclosed last week by security researcher Gilles Lionel. In his GitHub, he explains how he was able to "coerce Windows hosts to authenticate to other machines via MS-EFSRPC EfsRpcOpenFileRaw function."
The Encrypting File System Remote (EFSRPC) Protocol is a protocol used for maintenance and management operations on encrypted data that is stored remotely and accessed over a network. It is frequently used to manage files on remote file servers that are encrypted using the Encrypting File System (EFS).
The specifics detail how the attack allows a domain controller to authenticate against a remote NTLM under an attacker's control using MS-EFSRPC.
Microsoft released an advisory with additional details on how to mitigate these types of attacks. The preferred mitigation is to disable NTLM authentication in your domain altogether. To do this, you can follow the steps in the Microsoft documentation Network security: Restrict NTLM: NTLM authentication in this domain.
The other mitigations suggested if you are unable to disable NTLM on your domain for compatibility reasons are as follows. They are listed in order of more secure to less secure:
- Disable NTLM on any AD CS Servers in your domain using the group policy Network security: Restrict NTLM: Incoming NTLM traffic. If needed you can add exceptions as necessary using the setting "Network security: Restrict NTLM: Add server exceptions in this domain."
- Disable NTLM for Internet Information Services (IIS) on AD CS Servers in your domain running the "Certificate Authority Web Enrollment" or "Certificate Enrollment Web Service" services.
On a Lansweeper related note, NTLM is used as a fallback method to Kerberos. So in most scenarios, disabling NTLM should have no impact on Lansweeper scanning.
Find Critical Servers
While this attack can be targetted on any server, domain controllers will likely be favored by attackers, with Lansweeper you can easily get an overview of all your servers including their details and roles. This way you can see find all your servers and which of them are domain controllers so you know where to take action.
In August's patch Tuesday, Microsoft released a fix for CVE-2021-36942 which is associated with this vulnerability. If you want to rest a little easier, it is best you update your domain controllers to the Microsoft updates from the August patch Tuesday or higher. You can use our August patch Tuesday Report to check if your Windows machines have been updated.