This nasty Microsoft attack could let hackers hijack entire Windows servers

Microsoft’s mitigation doesn’t completely solve the issue, argues researcher

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

A newly-uncovered security flaw inWindowscan be exploited by attackers to completely take over a Windows domain, experts have said.

The vulnerability, dubbedPetitPotam, coerces remote Windows servers, including Domain Controllers, to authenticate with a malicious destination, thereby allowing adversaries to stage a Windows NT LAN Manager (NTLM) relay attack.

“PetitPotam is a classic NTLM Relay Attack, and such attacks have been previously documented byMicrosoftalong with numerous mitigation options to protect customers,” readMicrosoft’s advisoryon the issue.

We’re looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won’t take more than 60 seconds of your time, and you can also choose to enter the prize draw to win a $100 Amazon voucher or one of five 1-year ExpressVPN subscriptions.

Click here to start the survey in a new window«

PetitPotam was discovered bycybersecurityresearcher Gilles Lionel, who shared proof of concept (PoC) code, along with technical details of the flaw.

Incomplete mitigation?

Microsoft’s advisory suggests that all users who use Active Directory Certificate Services (AD CS) with either the Certificate Authority Web Enrollment service or the Certificate Enrollment Web Service are potentially vulnerable to PetitPotam.

The vulnerability, Microsoft argues, takes advantage of servers where AD CS is not configured with protections for NTLM Relay Attacks.

“To prevent NTLM Relay Attacks on networks with NTLM enabled, domain administrators must ensure that services that permit NTLM authentication make use of protections such as Extended Protection for Authentication (EPA) or signing features such as SMB signing,” suggests Microsoft’s advisory.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

However, the researcher doesn’t think Microsoft’s mitigations fully address the issue.

In a conversation withBleepingComputer, Lionel argues that PetitPotam is about abusing the EfsRpcOpenFileRaw function of the MS-EFSRPC API to pass on authentication requests.

And while Microsoft’s advisory mitigates NTLM relay attacks, he says that it does not address the abuse of the MS-EFSRPC API, which would need a security update.

ViaBleepingComputer

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’sTechRadar Pro’sexpert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

This new malware utilizes a rare programming language to evade traditional detection methods

A new form of macOS malware is being used by devious North Korean hackers

I’ve been covering Apple Watch deals for years – This is the one model most people should buy on Black Friday