Microsoft Issues Urgent Fix for PetitPotam
Microsoft has reclassified the vulnerability known as “PetitPotam” as an official Security Advisory as attacks continue to rise.
New PetitPotam Attack Lets Cybercriminals Take Over Windows Domains
On July 28, Microsoft have reclassified the vulnerability known as “PetitPotam” as an official Security Advisory, and have marked this as Public Aware.
This means the precise method to expose this vulnerability is available to find on the internet, and there may attempts right now trying to take advantage of the bug effecting all versions of Windows Server.
What is PetitPotam?
PetitPotam is a classic NTLM Relay Attack, and such attacks have been previously documented by Microsoft along with numerous mitigation options to protect customers.
To prevent NTLM Relay Attacks on networks with NTLM enabled, domain administrators must ensure that services that permit NTLM authentication make use of protections such as Extended Protection for Authentication (EPA) or signing features such as SMB signing. PetitPotam takes advantage of servers where Active Directory Certificate Services (AD CS) is not configured with protections for NTLM Relay Attacks.
Rob Brown, Head of Customer Success said, “If an attacker was able to expose this bug, this will give the attacker an authentication certificate that can be used to access domain services and compromise the entire Active Directory domain. This includes the creation / deletion of user accounts, or the changing of passwords.”
You are potentially vulnerable to this attack if you are using Active Directory Certificate Services (AD CS) with any of the following services:
- Certificate Authority Web Enrollment
- Certificate Enrollment Web Service
On any of the following operating systems:
- Windows Server 2008 R2
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server 2019
- Windows Server 2004
- Windows Server 20H2
Solutions and Mitigations
- Disable NTLM Authentication on your Windows domain controller.
- Disable NTLM on any AD CS Servers in your domain using the group policy Network security: Restrict NTLM: Incoming NTLM traffic. To configure this GPO, open Group Policy and go to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options and set Network security: Restrict NTLM: Incoming NTLM traffic to Deny All Accounts or Deny All domain accounts. If needed, you can add exceptions as necessary using the setting Network security: Restrict NTLM: Add server exceptions in this domain.
- Disable NTLM for Internet Information Services (IIS) on AD CS Servers in your domain running the “Certificate Authority Web Enrollment” or “Certificate Enrollment Web Service” services.
How Syxsense Can Help
Customers using Syxsense Secure can detect this vulnerability by scanning our security script called “LanMan authentication level is not NTLMv2”.
Syxsense provides that first line of defense against vulnerabilities by automating the patching of all systems. Experience the power of IT management, patch management, and security vulnerability scanning in one powerful solution.