Experts reveal that the PetitPotam attack forces remote Windows servers such as Domain Controllers to validate a malicious destination.
Microsoft has released an advisory on the newly identified Windows security flaw that allows attackers to take complete control of a Windows domain.
Experts revealed that the vulnerability, dubbed PetitPotam, forces remote Windows servers such as Domain Controllers to validate a malicious destination. This allows attackers to launch a Windows NT LAN Manager relay attack.
“PetitPotam is a classic NTLM Relay Attack, and such attacks have been previously documented by Microsoft along with numerous mitigation options to protect customers,” Microsoft’s advisory reads.
PetitPotam Coerces Windows Hosts to Authenticate Devices
The flaw was discovered and reported by security researcher Gilles Lionel. He shared its technical details and PoC code last week and revealed that the flaw works by coercing Windows hosts to authenticate other devices/systems through “MS-EFSRPC EfsRpcOpenFileRaw function,” which is Microsoft’s Encrypting File System Remote Protocol used to perform maintenance and management operations on encrypted data that are remotely stored and accessed via a network.
Who is Vulnerable to PetitPotam?
According to the advisory, users who are using Active Directory Certificate Services (AD CS) with the Certificate Enrollment Web Service or the Certificate Authority Web Enrollment service are vulnerable to this threat.
PetitPotam exploits servers where AD CS isn’t configured with NTLM Relay Attacks protections. Therefore, it will give the attacker an authentication certificate, which may be used for accessing DC services to compromise the entire domain.
“To prevent NTLM Relay Attacks on networks with NTLM enabled, domain administrators must ensure that services that permit NTLM authentication make use of protections such as Extended Protection for Authentication (EPA) or signing features such as SMB signing,” Microsoft advises.
But, Lionel believes this won’t fully resolve the issue because PetitPotem abuses the EfsRpcOpenFileRaw function, and Microsoft’s advisory doesn’t address the MS-EFSRPC API abuse unless the company releases a security update.