A newly-uncovered security flaw in Windows (opens in new tab) can be exploited by attackers to completely take over a Windows domain, experts have said.
The vulnerability, dubbed PetitPotam (opens in new tab), coerces remote Windows servers, including Domain Controllers, to authenticate with a malicious destination, thereby allowing adversaries to stage a Windows NT LAN Manager (NTLM) relay attack.
“PetitPotam is a classic NTLM Relay Attack, and such attacks have been previously documented by Microsoft along with numerous mitigation options to protect customers,” read Microsoft’s advisory (opens in new tab) on the issue.
- These are the best endpoint protection tools (opens in new tab)
- Check our list of the best firewall apps and services (opens in new tab)
- Here’s our recommendations of the best DNS services (opens in new tab)
PetitPotam was discovered by cybersecurity (opens in new tab) researcher Gilles Lionel, who shared proof of concept (PoC) code, along with technical details of the flaw.
Incomplete mitigation?
Microsoft’s advisory suggests that all users who use Active Directory Certificate Services (AD CS) with either the Certificate Authority Web Enrollment service or the Certificate Enrollment Web Service are potentially vulnerable to PetitPotam.
The vulnerability, Microsoft argues, takes advantage of servers where AD CS is not configured with protections for NTLM Relay Attacks.
“To prevent NTLM Relay Attacks on networks with NTLM enabled, domain administrators must ensure that services that permit NTLM authentication make use of protections such as Extended Protection for Authentication (EPA) or signing features such as SMB signing,” suggests Microsoft’s advisory.
However, the researcher doesn’t think Microsoft’s mitigations fully address the issue.
In a conversation with BleepingComputer, Lionel argues that PetitPotam is about abusing the EfsRpcOpenFileRaw function of the MS-EFSRPC API to pass on authentication requests.
And while Microsoft's advisory mitigates NTLM relay attacks, he says that it does not address the abuse of the MS-EFSRPC API, which would need a security update.
- Protect your devices with these best antivirus software (opens in new tab)
Via BleepingComputer (opens in new tab)