PetitPotam NT Lan Manager (NTLM) Relay Attack

Published on 26 Jul 2021

Updated on 29 Jul 2021

Update (29 Jul 2021):

Microsoft has released new mitigation measures for the security flaw "PetitPotam" in the Windows Operating System. In addition to disabling NTLM authentication, Microsoft recommends enabling EPA and disabling HTTP on AD CS servers. More information available here.

 

Original alert published on 26 Jul 2021 below:

A security researcher has discovered a security flaw, dubbed “PetitPotam”, in the Microsoft Windows operating system. PetitPotam is a type of NTLM relay attack. When combined with the Active Directory Certificate Services (AD CS), it can attack Windows domain controllers and other Windows servers. An environment is considered vulnerable if NTLM authentication is enabled in the domain and AD CS is used with either Certificate Authority Web Enrollment or Certificate Enrollment Web Service.

Microsoft recommends that administrators whose environment is vulnerable to this attack consider disabling NTLM authentication on their Windows domain controller. This can be done by following the instructions here.

However, disabling NTLM authentication may risk breaking any application or system that leverages it within your environment. For administrators who are unable to disable NTLM on their domain, Microsoft recommends other mitigations listed here.

References:
https://msrc.microsoft.com/update-guide/vulnerability/ADV210003
https://support.microsoft.com/en-us/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429
https://isc.sans.edu/diary/27668