Critical Microsoft vulnerability threatens NTLM Relay Attack PetitPotam

A french-based security researcher from an IT Services company have published a PoC application called PetitPotam that is capable of exploiting the Encrypting File Services Remote Protocol. This vulnerability will affect organizations that employ MS Active Directory Certificate Services that use public key infrastructure servers.

The PetitPotam which comes a NT LAN Manager relay attack, that is a form of manipulator-in-the-middle attack.

Why is the NTLM relay attack concerning?

Cyber criminals can easily take over a Windows Domain using Active Directory Certificate Services without any need for authentication by establishing connection with LSARPC pipe with interface c681d488-d850-11d0-8c52-00c04fd90f7e. Leveraging the LSARPC and communicating with the MS-EFSRPC will allow unauthorized access.

However, Microsoft has documented the MS-EFSRPC to be an authenticated connection. The credential captured can be used to elevate things further by providing access and thus enabling complete access. All the machines that run on ADCS and the DCs will be vulnerable to this relay attack, which makes the vulnerability highly critical and worse than the HiveNightmare vulnerability.

Microsoft’s recommendations to mitigate the NLTM Relay Attack

• Organizations need to ensure the services that allow NTLM authentication should also enable Extended Protection for Authentication for signing. PetitPotam manipulates servers with ADCS protections with NTLM relay attacks. IT teams should build their security for their ADCS servers to stay immune against this attack.
• Remove Web Enroll from your certificate service. Modern implementations with RPC calls and not just the web services. Without proper understanding of the RPC enrollment and Web Enrollment services, this could go south.
• Limit the scope by disabling the NTLM provider using the IIS Manager on the affected servers.
• Disable NTLM using GPO on all the ADCS and DC servers, as this will enforce Kerberos authentication rather allowing the NTLM initiations, this will be able to prevent the NTLM from executing its action and the attack.
• Check the use of Extended Protection for Authentication to identify if it is active and can thus limit the impact.
• Activate the SMB singing to reduce the impact of relay attack, however verify the presence of legacy applications and the need for NTLM authentication.

How to identify the NTLM Relay Attack

The below mentioned identification methods can assist you in detecting if you are under the NTLM relay attack,

• Anonymous Bind to RPC during PetitPotam, and anonymous connections.
• Elevated User Access without any source, this can be further confirmed by ignoring src/client  IPs which aren’t private.

Subscribe to our newsletter for daily alerts on cyber events, you can also follow us on Facebook, Linkedin, Instagram, Twitter and Reddit.

You can reach out to us via Twitter or Facebook, for any advertising requests.