Intent
The objective of this alert is to raise awareness about a vulnerability allowing NTLM relay attacks on Active Directory Certificate Services that has public Proof-of-Concept (PoC) code available.
The intent of this alert is to raise system administrator’s awareness about this vulnerability and its risks, allowing them to act accordingly.
If it is not already done, CCB/CyTRIS (Cyber Threat Research & Intelligence Sharing) recommends system administrators to apply available mitigations on their vulnerable systems as soon as possible and analyse their systems and network logs for any suspicious activity.
Summary
Microsoft is aware of “PetitPotam”1 which can be used in an attack on Windows domain controllers or other Windows servers2. The vulnerability exists due to a weakness in the NTLM authentication process.
“PetitPotam” is a classic NTLM Relay Attack, such attacks allow a remote attacker to bypass the authentication process and gain unauthorized access to the system.
Technical Details
PetitPotam takes advantage of servers where Active Directory Certificate Services (AD CS) is not configured with protections for NTLM Relay Attacks. The issue was discovered by security researcher Gilles Lionel, who shared technical details and proof-of-concept (PoC) code last week3.
The vulnerability works by forcing Windows hosts to authenticate to other machines via MS-EFSRPC “EfsRpcOpenFileRaw” function.
Systems are potentially vulnerable to this attack if NTLM authentication is enabled on the domain and makes use of Active Directory Certificate Services (AD CS) with any of the following services:
- Certificate Authority Web Enrollment
- Certificate Enrollment Web Service
Risks
The “PetitPotam” exploits a security flaw in the Windows operating system to force remote Windows servers, including Domain Controllers, to authenticate with a malicious destination. This allows an adversary to stage an NTLM relay attack and completely take over a Windows domain.
Affected Vendors and Workarounds
This vulnerability affects all versions of Microsoft Windows servers, including Domain Controllers.
CCB/CyTRIS recommends system administrators to review the mitigations outlined in KB50054134 instruct customers on how to protect their AD CS servers from such attacks. If NTLM authentication has not been disabled in the domain, the best mitigation for this issue is to disable NTLM authentication in the domain after having verified the KB article.
To prevent NTLM Relay Attacks on networks with NTLM enabled, domain administrators must ensure that services that permit NTLM authentication make use of protections such as Extended Protection for Authentication (EPA) or signing features such as SMB signing.
Windows recommends disabling NTLM authentication on the domain controller. If NTLM cannot be disabled for compatibility reasons, apply one of the two steps below:
- Disable NTLM on any AD CS Servers in your domain using the group policy Network security > Restrict NTLM4 > Incoming NTLM traffic.
- Disable NTLM for Internet Information Services (IIS) on AD CS Servers in the domain running the "Certificate Authority Web Enrollment" or "Certificate Enrollment Web Service" services
[1] https://github.com/topotam/PetitPotam
[2] https://msrc.microsoft.com/update-guide/vulnerability/ADV210003
[3] https://www.bleepingcomputer.com/news/microsoft/new-petitpotam-attack-allows-take-over-of-windows-domains/
[4] https://support.microsoft.com/en-us/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429
[5] https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic