Windows security update blocks PetitPotam NTLM relay attacks


Microsoft has actually discharged security updates that obstruct the PetitPotam NTLM relay assault that makes it possible for a danger star to take control of a Windows domain name.

In July, security analyst GILLES Lionel, also known as Topotam, divulged a brand new technique referred to as PetitPotam that pushes a domain name operator to verify versus a danger star’s web server utilizing the MS-EFSRPC API functionalities.

Using the PetitPotam angle, a danger star may make use of the Windows LSARPC user interface to interact and also perform MS-EFSRPC API functionalities without authorization. The functionalities, OpenEncryptedFileRawA and also OpenEncryptedFileRawW, permit the risk star to compel a domain name operator to verify to an NTLM relay web server under the enemy’s management.

The NTLM relay will ahead the demand to a target’s Active Directory Certificate Services using HTTP to acquire a Kerberos ticket-granting ticket (TGT) that makes it possible for the risk star to think the identification of any kind of tool on the system, consisting of a domain name operator.

This NTLM relay assault makes it possible for the risk star to take control of the domain name operator, and also therefore the Windows domain name.

In July, Microsoft discharged a security advisory clarifying just how to relieve NTLM relay attacks targeting Active Directory Certificate Services (ADD CS).

However, Microsoft delivered no relevant information on obstructing the PetitPotam angle till analysts found just how to get it utilizing NETSH filters.

Microsoft blocks the PetitPotam angle

As portion of the August 2021 Patch Tuesday updates, Microsoft has actually discharged a security update that blocks the PetitPotam angle (CVE-2021-36942), so it may certainly not compel a domain name operator to verify versus yet another server.:

“An unauthenticated attacker could call a method on the LSARPC interface and coerce the domain controller to authenticate against another server using NTLM,” clarifies Microsoft in the CVE-2021-36942 advisory.

“This security update blocks the affected API calls OpenEncryptedFileRawA and OpenEncryptedFileRawW through LSARPC interface.”

Microsoft alerts that mounting this update might impact back-up software program that takes advantage of the EFS API OpenEncryptedFileRaw( A/W) functionality.

“The EFS API OpenEncryptedFileRaw(A/W), often used in backup software, continues to work in all versions of Windows (local and remote), except when backing up to or from a system running Windows Server 2008 SP2. OpenEncryptedFileRaw will no longer work on Windows Server 2008 SP2,” alerts Microsoft.

If your back-up software program no more functions after mounting this update on Windows 7 Service Pack 1 or even Windows Server 2008 R2 Service Pack 1 and also eventually, Microsoft advises you call your back-up software program designer to receive an improved model.

Comments are closed.

buy levitra buy levitra online