Threat Signal Report

PetitPotam NTLM relay attack allows attackers to take over Windows domains

Description

FortiGuard Labs is aware of reports that a new vulnerability in Windows allows an attacker to take over a domain controller or other Windows servers. The vulnerable servers have NTLM authentication enabled and the Active Directory Certificate Services (ADCS) service is in use - with either the Certificate Authority Web Enrollment or Certificate Enrollment Web Service. The attack is characterized by Microsoft as a classic NTLM relay attack, in which an attacker gains the ability to perform actions with the authenticated user's privileges by intercepting and directing the authentication process to another server under the attacker's control.

When was The Issue Found?

The issue along with a Proof-of-Concept code dubbed PetitPotam was disclosed by a French security researcher Gilles Lionel on July 23rd, 2021.

How does PetitPotam Work?

PetitPotam exploits the Microsoft's Encrypting File System Remote (MS-EFSRPC) protocol to force remote Windows servers to authenticate with an arbitrary server over LSARPC (TCP port 445). As long as an attacker is able to connect the target server to the LSARPC named pipe with interface c681d488-d850-11d0-8c52-00c04fd90f7e, the target server can connect to any other server without any authentication.

How Serious of an Issue is This?

High. The issue allows an attacker to completely take over a Windows domain that have NTLM authentication enabled and the ADCS service is in use with Certificate Authority Web Enrollment or Certificate Enrollment Web Service.

Has The Vendor Released an Advisory?

Yes, Microsoft has released an advisory on July 23rd, 2021.

Which Versions of Windows are Affected?

According to Microsoft, Windows Servers 2008 to 2019 are affected.

Is the Security Flaw being Exploited in The Wild?

FortiGuard Labs is not aware of any attacks that take advantage of the security flaw at this time. FortiGuard Labs will continue to monitor the situation and provide updates as the situation warrants.

What is the Status of Fortinet Coverage?

FortiGuard Labs has added the following Anti-Virus (AV) detection based on the available Proof-of-Concept code:

W32/PetitPotam.A!exploit

FortiGuard Labs has released the following IPS coverage based on the available Proof-of-Concept code (definitions version 18.129). Note that initial action for this IPS signature is set to Pass:

MS.Windows.Server.NTLM.Relay.Spoofing

Is There Any Mitigation?

Microsoft has provided mitigation in their KB article. For details, please visit the "KB5005413: Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS)" link in the APPENDIX section.

Note that FortiGuard Labs highly recommends testing any recommended mitigation before applying it in order to avoid serious issues that may arise.

Does the recommended mitigation from MSFT address the entire issue?

Not entirely. The vulnerability will be neutralized for those that can follow Microsoft's recommendation of completely disabling NTLM on the domain controller. However, in certain enterprise networks, completely disabling NTLM may not be possible, and the mitigations go on to detail certain options that will properly protect the environment against this specific attack. In cases where even these recommendations cannot be followed due to other circumstances such as compatibility issues, Benjamin Delay (@gentilkiwi) has shared the following on Twitter as potential alternative mitigation for the NTLM relay vector:

Benjamin Delay (@gentilkiwi) has shared the following on Twitter as potential alternative mitigation for the NTLM relay vector:

As long as NTLM is enabled, the underlying NTLM relay attack vector will continue to exist. With regards to Active Directory Certificate Services however, Microsoft's recommendations will offer sufficient protection against this particular attack.

Note that FortiGuard Labs highly recommends testing any recommended mitigation before applying it in order to avoid serious issues such as breaking any application or system that leverages NTLM authentication within the environment.

Has the Vendor Released or is Scheduled to Release a Patch?

No, Microsoft has not released nor plans on releasing a patch.