Microsoft Issues Urgent Fix for PetitPotam

Microsoft Issues Urgent Fix for PetitPotam

New PetitPotam Attack Lets Cybercriminals Take Over Windows Domains

On July 28, Microsoft have reclassified the vulnerability known as “PetitPotam” as an official Security Advisory, and have marked this as Public Aware.

This means the precise method to expose this vulnerability is available to find on the internet, and there may attempts right now trying to take advantage of the bug effecting all versions of Windows Server.

What is PetitPotam?

PetitPotam is a classic NTLM Relay Attack, and such attacks have been previously documented by Microsoft along with numerous mitigation options to protect customers.

To prevent NTLM Relay Attacks on networks with NTLM enabled, domain administrators must ensure that services that permit NTLM authentication make use of protections such as Extended Protection for Authentication (EPA) or signing features such as SMB signing. PetitPotam takes advantage of servers where Active Directory Certificate Services (AD CS) is not configured with protections for NTLM Relay Attacks.

Rob Brown, Head of Customer Success said, “If an attacker was able to expose this bug, this will give the attacker an authentication certificate that can be used to access domain services and compromise the entire Active Directory domain. This includes the creation / deletion of user accounts, or the changing of passwords.”

You are potentially vulnerable to this attack if you are using Active Directory Certificate Services (AD CS) with any of the following services:

  1. Certificate Authority Web Enrollment
  2. Certificate Enrollment Web Service

On any of the following operating systems:

  1. Windows Server 2008 R2
  2. Windows Server 2012 R2
  3. Windows Server 2016
  4. Windows Server 2019
  5. Windows Server 2004
  6. Windows Server 20H2

Solutions and Mitigations

  1. Disable NTLM Authentication on your Windows domain controller.
  2. Disable NTLM on any AD CS Servers in your domain using the group policy Network security: Restrict NTLM: Incoming NTLM traffic. To configure this GPO, open Group Policy and go to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options and set Network security: Restrict NTLM: Incoming NTLM traffic to Deny All Accounts or Deny All domain accounts. If needed, you can add exceptions as necessary using the setting Network security: Restrict NTLM: Add server exceptions in this domain.
  3. Disable NTLM for Internet Information Services (IIS) on AD CS Servers in your domain running the “Certificate Authority Web Enrollment” or “Certificate Enrollment Web Service” services.

How Syxsense Can Help

Customers using Syxsense Secure can detect this vulnerability by scanning our security script called “LanMan authentication level is not NTLMv2”.

Syxsense provides that first line of defense against vulnerabilities by automating the patching of all systems. Experience the power of IT managementpatch management, and security vulnerability scanning in one powerful solution.

Start Your Free Trial of Syxsense

Syxsense combines IT management, patch management, and security vulnerability scanning in one powerful solution. Get started today.

Recent Posts

Topics

Related Posts

Automated Vulnerability Management: Outpacing Attackers with Efficiency

Automated Vulnerability Management: Outpacing Attackers with Efficiency

April 25, 2024
A Cyber Essential: Vulnerability Scanner as an Essential Line of Defense

A Cyber Essential: Vulnerability Scanner as an Essential Line of Defense

April 23, 2024
If Vulnerabilities Can Take Down Even the Most Prepared, What Can You Do?

If Vulnerabilities Can Take Down Even the Most Prepared, What Can You Do?

April 20, 2024
Previewing RSA Conference 2024: Top Security Themes

Previewing RSA Conference 2024: Top Security Themes

April 15, 2024