Threat Signal Report

PetitPotam NTLM relay attack allows attackers to take over Windows domains

description-logo Description

FortiGuard Labs is aware of reports that a new vulnerability in Windows allows an attacker to take over a domain controller or other Windows servers. The vulnerable servers have NTLM authentication enabled and the Active Directory Certificate Services (ADCS) service is in use - with either the Certificate Authority Web Enrollment or Certificate Enrollment Web Service. The attack is characterized by Microsoft as a classic NTLM relay attack, in which an attacker gains the ability to perform actions with the authenticated user's privileges by intercepting and directing the authentication process to another server under the attacker's control.


When was The Issue Found?

The issue along with a Proof-of-Concept code dubbed PetitPotam was disclosed by a French security researcher Gilles Lionel on July 23rd, 2021.


How does PetitPotam Work?

PetitPotam exploits the Microsoft's Encrypting File System Remote (MS-EFSRPC) protocol to force remote Windows servers to authenticate with an arbitrary server over LSARPC (TCP port 445). As long as an attacker is able to connect the target server to the LSARPC named pipe with interface c681d488-d850-11d0-8c52-00c04fd90f7e, the target server can connect to any other server without any authentication.


How Serious of an Issue is This?

High. The issue allows an attacker to completely take over a Windows domain that have NTLM authentication enabled and the ADCS service is in use with Certificate Authority Web Enrollment or Certificate Enrollment Web Service.


Has The Vendor Released an Advisory?

Yes, Microsoft has released an advisory on July 23rd, 2021.


Which Versions of Windows are Affected?

According to Microsoft, Windows Servers 2008 to 2019 are affected.


Is the Security Flaw being Exploited in The Wild?

FortiGuard Labs is not aware of any attacks that take advantage of the security flaw at this time. FortiGuard Labs will continue to monitor the situation and provide updates as the situation warrants.


What is the Status of Fortinet Coverage?

FortiGuard Labs has added the following Anti-Virus (AV) detection based on the available Proof-of-Concept code:


W32/PetitPotam.A!exploit


FortiGuard Labs has released the following IPS coverage based on the available Proof-of-Concept code (definitions version 18.129). Note that initial action for this IPS signature is set to Pass:


MS.Windows.Server.NTLM.Relay.Spoofing



Is There Any Mitigation?

Microsoft has provided mitigation in their KB article. For details, please visit the "KB5005413: Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS)" link in the APPENDIX section.


Note that FortiGuard Labs highly recommends testing any recommended mitigation before applying it in order to avoid serious issues that may arise.


Does the recommended mitigation from MSFT address the entire issue?

Not entirely. The vulnerability will be neutralized for those that can follow Microsoft's recommendation of completely disabling NTLM on the domain controller. However, in certain enterprise networks, completely disabling NTLM may not be possible, and the mitigations go on to detail certain options that will properly protect the environment against this specific attack. In cases where even these recommendations cannot be followed due to other circumstances such as compatibility issues, Benjamin Delay (@gentilkiwi) has shared the following on Twitter as potential alternative mitigation for the NTLM relay vector:

Benjamin Delay (@gentilkiwi) has shared the following on Twitter as potential alternative mitigation for the NTLM relay vector:

As long as NTLM is enabled, the underlying NTLM relay attack vector will continue to exist. With regards to Active Directory Certificate Services however, Microsoft's recommendations will offer sufficient protection against this particular attack.

Note that FortiGuard Labs highly recommends testing any recommended mitigation before applying it in order to avoid serious issues such as breaking any application or system that leverages NTLM authentication within the environment.


Has the Vendor Released or is Scheduled to Release a Patch?

No, Microsoft has not released nor plans on releasing a patch.


Definitions

Traffic Light Protocol

Color When Should it Be used? How may it be shared?

TLP: RED

Not for disclosure, restricted to participants only.
Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused. Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.

TLP: AMBER

Limited disclosure, restricted to participants’ organizations.
Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.

TLP: GREEN

Limited disclosure, restricted to the community.
Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.

TLP: WHITE

Disclosure is not limited.
Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.