Thursday, September 23, 2021

Microsoft Releases Mitigations For New PetitPotam NTLM Relay Attack

Must Read

Web Page Layout Could Trick Users to Divulging More Information

Computer users may be manipulated into divulging more information than they'd normally simply from the design of pages, new...

Turkey launches a 3-year Cybersecurity Strategy and action plan

The Notice about the national cybersecurity plan and action plan was published on Tuesday together with the Signature of...

NHS Error Exposes Information on Hundreds of Staff and Patients

Hundreds of NHS staff and patients have had their data vulnerable to strangers following inner procedure failures, and it...

Microsoft releases mitigations and advisory For the New PetitPotam NTLM Relay Attack that abuses a remote access protocol called Encrypting File System Remote Protocol (MS-EFSRPC).

Microsoft also posted detailed instructions on how to protect Windows domain controllers and other Windows servers from the NTLM Relay Attack known as PetitPotam.

This security vulnerability in the Windows operating system can be exploited to coerce remote Windows servers, including Domain Controllers, to authenticate with a malicious destination.

Security researcher Gilles Lionel first identified the bug on Thursday and also published a proof-of-concept (PoC) exploit code to demonstrate the attack. On the Same following day, Microsoft issued an advisory that included workaround mitigations to protect systems.

The flaw works by forcing “Windows hosts to authenticate to other machines via MS-EFSRPC EfsRpcOpenFileRaw function.”

In simple words, The PetitPotam bug is tied to the Windows operating system and the abuse of a remote access protocol called Encrypting File System Remote Protocol (MS-EFSRPC). The protocol is designed to allow Windows systems to access remote encrypted data stores, allowing for management of the data while enforcing access control policies.

It says customers may be vulnerable to PetitPotam if NTLM authentication is enabled on a domain and Active Directory Certificate Services (AD CS) is in use with Certificate Authority Web Enrollment or Certificate Enrollment Web Service. 

In response to the public availability of the PoC, Microsoft was quick to respond, outlining several mitigation options. For starters, Microsoft recommends disabling NTLM authentication on Windows domain controllers. It also suggests enabling the Extended Protection for Authentication (EPA) feature on AD CS services.

To prevent NTLM Relay Attacks that meet these conditions, Microsoft advises domain admins to ensure that services that permit NTLM authentication must “make use of protections such as Extended Protection for Authentication (EPA) or signing features such as SMB signing.”

But it also has detailed and graphical instructions for alternative mitigations if it’s not possible to disable NTLM authentication on a domain. They are listed in order of more secure to less secure.

a2434345d63481a40f0d145881b41013?s=96&d=mm&r=g
Priyanshu Vijayvargiya
Founder and Editor-in-Chief of 'Virtualattacks Inc' Priyanshu Vijayvargiya is a cybersecurity analyst, Information Security professional, developer, and a white hat hacker.

Leave a reply

Please enter your comment!
Please enter your name here

Latest News

Attackers Using Morse Code in phishing campaign to Evade Detection

Microsoft on Thursday revealed the techniques used by attackers to avoid detection using morse code in the phishing campaign.Microsoft...

Murata Manufacturing suffers data breach of employees and customer

Japanese electronic components manufacturer Murata has released an apology Notice for the data breach of thousands of files in June that contained bank account...

Everything about Signalling System 7(SS7)

Signaling System 7 (SS7) is an international telecommunication protocol standard that controls and regulates the network elements in a public switched telephone network (PSTN)....

Zimbra flaw lets attackers access the mail servers

Researchers discovered a flaw in the open-source Zimbra code. As a result, an attacker would gain unrestricted access to all sent and received emails...

Apple Releases patches for an actively exploited zero-day flaw in ios, macOS

Apple on Monday Release an urgent security patch for iOS,macOS, iPadOS, to address a zero-day flaw that has been actively exploited.Apple has revealed that...

More Articles Like This