Microsoft has shared more information on how organizations can protect Windows domain controllers and other Windows servers against potential PetitPotam attacks.
PetitPotam is the name assigned to a vulnerability that can be exploited by an unauthenticated attacker to get a targeted server to connect to an arbitrary server and perform NTLM authentication.
PetitPotam can be chained with an exploit targeting Active Directory Certificate Services (AD CS) to ultimately take complete control of a Windows domain.
A proof-of-concept (PoC) exploitation tool was made available last week for PetitPotam by France-based security researcher Lionel Gilles (aka Topotam), and the SANS Institute’s Internet Storm Center has published a step-by-step description of the attack.
Microsoft published an advisory in response to the findings, describing PetitPotam as a “classic NTLM Relay Attack” and pointing to previously provided mitigations.
However, some cybersecurity experts were not happy with Microsoft’s response. This week, the tech giant updated its advisory and shared detailed mitigations that include enabling the Extended Protection for Authentication (EPA) feature and disabling HTTP on AD CS, and disabling NTLM authentication where possible.
According to Microsoft, Windows Server 2008, Server 2012, Server 2016, Server 2019, and Server (20H2 and 2004) are impacted. The company’s advisory confirms that information on PetitPotam is publicly available, but says it has not been exploited in attacks.
In a blog post published on Thursday, cybersecurity firm Malwarebytes described the PetitPotam attack and noted that it will be difficult to patch “without breaking stuff” due to the fact that it abuses legitimate functionality.