Threat Alert

by IthacaLabs™

THREAT LEVEL/High 29/07/2021

An exploit for a new security vulnerability that affects Microsoft Windows OSs has been released in the wild

Threat Level Description

Threat Level: High – An attack is highly likely. Additional and sustainable protective security measures reflecting the broad nature of the threat combined with specific business and geographical vulnerabilities and judgments on acceptable risk.

Description

We have observed that an exploit for a new security vulnerability that affects Microsoft Windows operating systems has been published.

A remote unauthenticated attacker, by exploiting this flaw, could force remote Windows systems to reveal password hashes, escalate their access privileges and finally compromise the entire domain.

This issue, named “PetitPotam”, works by forcing Microsoft Windows hosts to authenticate to other machines via MS-EFSRPC EfsRpcOpenFileRaw function.

Specifically, “PetitPotam” enables a domain controller to authenticate against a remote NTLM, under a bad actor’s control, using the Encrypting File System Remote Protocol (MS-EFSRPC) interface and share its authentication information. This is done by connecting to LSARPC, resulting in a scenario where the target server connects to an arbitrary server and performs NTLM authentication.

By forcing the targeted computer to initiate an authentication procedure and share its hashed passwords via NTLM, the “PetitPotam” attack can be chained to an exploit, targeting Windows Active Directory Certificate Services (AD CS) that provides public key infrastructure (PKI) functionality, to seize control of the entire domain.

MS-EFSRPC protocol is designed to allow Windows systems to access remote encrypted data stores for maintenance and management of the data while enforcing access control policies.

The “PetitPotam” PoC, that has been published, is a form of man-in-the-middle (MitM) attack against Microsoft’s NTLM authentication system. An attacker could use the file-sharing protocol Server Message Block (SMB) to request access to a remote system’s MS-EFSRPC interface. This forces the targeted computer to initiate an authentication procedure and share its authentication details via NTLM.

Note that Microsoft has responded promptly with a fix for the “PetitPotam” attack.

Also, note that organizations are vulnerable to the “PetitPotam” attack if NTLM authentication is enabled in their domains and/or they’re using AD CS with the services “Certificate Authority Web Enrollment” and “Certificate Enrollment Web Service”.

CVE(s)

N/A

Affected Systems

  • N/A

Recommendation(s)

You should proceed immediately and implement the mitigations outlined in the “KB5005413” advisory provided by the vendor.

It is recommended to disable the deprecated NT LAN Manager (NTLM) authentication on Windows domain controllers. In the event NTLM cannot be turned off for compatibility reasons, it is recommended to take one of the two steps below:

• Disable NTLM on any AD CS Servers in your domain using the group policy Network security: Restrict NTLM: Incoming NTLM traffic.

• Disable NTLM for Internet Information Services (IIS) on AD CS Servers in the domain running the “Certificate Authority Web Enrollment” or “Certificate Enrollment Web Service” services

It is also suggested to enable the Extended Protection for Authentication (EPA) feature on AD CS services.

You should understand the importance of security updates, and the urgency with which they should be applied, no matter how large or small your organization is. It is very important to apply an efficient patch management solution and always have enabled an active event security logging and practice event monitoring. To protect the valuable assets of your business and be compliant with the relevant industry regulations requires a comprehensive approach to the management of risk, including Penetration Testing at least annually and upon significant changes.

References

Get the latest Threat Alerts in your inbox.