PETITPOTAM ATTACK

BACKGROUND

PetitPotam is a newly uncovered security flaw in the Windows operating system which can be used to attack remote Windows servers including Domain Controllers, to authenticate with a malicious destination, allowing an attacker to stage an NTLM relay attack and completely take over a Windows domain.

MODUS OPERANDI

An attacker coerces a privileged account to authenticate to a controlled machine without involving any domain account.
The attacker relays that authentication to a susceptible service using NTLM relay. In this attack, the services that are susceptible to NTLM relay are the Certification Authority (CA) Web Enrollment and Certificate Enrollment Web Service.
Certification Authority (CA) web enrollment and Certification Enrollment (Web Service are responsible for enrollment and issuance of (among other things) client authentication certificates. The attacker uses the privileged access from the NTLM relay attack to gain persistent escalated privileges by issuing themselves a certificate in the name of the coerced account. This approach enables them to authenticate to additional services or gain a silver ticket.

IMPACT

  • Gain full Domain Admin permissions
  • Vulnerable to a variety of malicious attacks, including SMB replay, man-in-the-middle attacks, and brute force attacks.

 

RECOMMENDATIONS

If the system is potentially affected, it is recommended to follow the following mitigations:
Primary mitigation

  • Enable Extended Protection Authentication (EPA) and disable HTTP on AD Certificate Service servers.

Additional Mitigation

  • Disable NTLM authentication where possible.
  • Disable NTLM Authentication on your Windows domain controller.
  • Disable NTLM on any AD CS Servers in your domain using the group policy Network security: Restrict NTLM: Incoming NTLM traffic.
  • Disable NTLM for Internet Information Services (IIS) on AD CS Servers in your domain running the "Certificate Authority Web Enrollment" or "Certificate Enrollment Web Service" services.
  • Domain administrators must ensure that services that permit NTLM authentication make use of protections such as Extended Protection for Authentication (EPA) or signing features such as SMB signing

Microsoft has released mitigation information here:
https://support.microsoft.com/en-us/topic/kb5005413-mitigating-ntlm-rel…