Microsoft Releases Mitigations For New PetitPotam NTLM Relay Attack

Microsoft releases mitigations and advisory For the New PetitPotam NTLM Relay Attack that abuses a remote access protocol called Encrypting File System Remote Protocol (MS-EFSRPC).

Microsoft also posted detailed instructions on how to protect Windows domain controllers and other Windows servers from the NTLM Relay Attack known as PetitPotam.

This security vulnerability in the Windows operating system can be exploited to coerce remote Windows servers, including Domain Controllers, to authenticate with a malicious destination.

Security researcher Gilles Lionel first identified the bug on Thursday and also published a proof-of-concept (PoC) exploit code to demonstrate the attack. On the Same following day, Microsoft issued an advisory that included workaround mitigations to protect systems.

The flaw works by forcing “Windows hosts to authenticate to other machines via MS-EFSRPC EfsRpcOpenFileRaw function.”

In simple words, The PetitPotam bug is tied to the Windows operating system and the abuse of a remote access protocol called Encrypting File System Remote Protocol (MS-EFSRPC). The protocol is designed to allow Windows systems to access remote encrypted data stores, allowing for management of the data while enforcing access control policies.

It says customers may be vulnerable to PetitPotam if NTLM authentication is enabled on a domain and Active Directory Certificate Services (AD CS) is in use with Certificate Authority Web Enrollment or Certificate Enrollment Web Service. 

In response to the public availability of the PoC, Microsoft was quick to respond, outlining several mitigation options. For starters, Microsoft recommends disabling NTLM authentication on Windows domain controllers. It also suggests enabling the Extended Protection for Authentication (EPA) feature on AD CS services.

To prevent NTLM Relay Attacks that meet these conditions, Microsoft advises domain admins to ensure that services that permit NTLM authentication must “make use of protections such as Extended Protection for Authentication (EPA) or signing features such as SMB signing.”

But it also has detailed and graphical instructions for alternative mitigations if it’s not possible to disable NTLM authentication on a domain. They are listed in order of more secure to less secure.

Leave a Reply

Your email address will not be published.