A freshly uncovered safety flaw in the Windows functioning system can be exploited to coerce distant Windows servers, which include Domain Controllers, to authenticate with a malicious location, therefore allowing an adversary to stage an NTLM relay attack and entirely consider about a Windows domain.
The concern, dubbed “PetitPotam,” was identified by protection researcher Gilles Lionel, who shared technical specifics and evidence-of-principle (PoC) code very last week, noting that the flaw is effective by forcing “Windows hosts to authenticate to other equipment by way of MS-EFSRPC EfsRpcOpenFileRaw perform.”
MS-EFSRPC is Microsoft’s Encrypting File Technique Remote Protocol that’s utilised to perform “upkeep and administration operations on encrypted facts that is saved remotely and accessed above a network.”
Particularly, the assault permits a domain controller to authenticate versus a remote NTLM less than a negative actor’s management making use of the MS-EFSRPC interface and share its authentication details. This is carried out by connecting to LSARPC, resulting in a situation where the target server connects to an arbitrary server and performs NTLM authentication.
“An attacker can target a Domain Controller to ship its qualifications by making use of the MS-EFSRPC protocol and then relaying the DC NTLM qualifications to the Active Directory Certification Products and services Advert CS World-wide-web Enrollment internet pages to enroll a DC certificate,” TRUESEC’s Hasain Alshakarti reported. “This will correctly give the attacker an authentication certification that can be made use of to accessibility area providers as a DC and compromise the whole domain.
Though disabling assist for MS-EFSRPC will not stop the assault from performing, Microsoft has since issued mitigations for the challenge, while characterizing “PetitPotam” as a “vintage NTLM relay attack,” which allow attackers with obtain to a network to intercept authentic authentication site visitors between a shopper and a server and relay these validated authentication requests in get to entry network expert services.
“To avert NTLM Relay Attacks on networks with NTLM enabled, area administrators should ensure that solutions that permit NTLM authentication make use of protections such as Prolonged Protection for Authentication (EPA) or signing attributes these kinds of as SMB signing,” Microsoft noted. “PetitPotam will take benefit of servers where the Lively Listing Certification Companies (Advert CS) is not configured with protections for NTLM Relay Assaults.”
To safeguard versus this line of assault, the Home windows maker is recommending that customers disable NTLM authentication on the area controller. In the occasion NTLM are not able to be turned off for compatibility causes, the company is urging buyers to take one of the two steps below –
- Disable NTLM on any Ad CS Servers in your area utilizing the group plan Network protection: Prohibit NTLM: Incoming NTLM targeted visitors.
- Disable NTLM for Internet Information and facts Companies (IIS) on Advert CS Servers in the area operating the “Certification Authority World wide web Enrollment” or “Certificate Enrollment Net Services” providers
PetitPotam marks the 3rd key Home windows safety situation disclosed about the previous thirty day period just after the PrintNightmare and SeriousSAM (aka HiveNightmare) vulnerabilities.