A recent security update for a Windows NTLM Relay Attack has been confirmed to be a previously unfixed vector for the PetitPotam attack.
During the May 2022 Patch Tuesday, Microsoft released a security update for an actively exploited NTLM Relay Attack labeled as a ‘Windows LSA Spoofing Vulnerability’ and tracked as CVE-2022-26925.
“An unauthenticated attacker could call a method on the LSARPC interface and coerce the domain controller to authenticate to the attacker using NTLM. This security update detects anonymous connection attempts in LSARPC and disallows it.”
An NTLM Relay Attack allows threat actors to force devices, even domain controllers, to authenticate against malicious servers they control. Once a device authenticates, the malicious server can impersonate the device and gain all of its privileges.
These attacks are significant problems as they could allow a threat actor to gain complete control over the domain.
While Microsoft did not share too many details about the bug, they stated that the fix affected the EFS API OpenEncryptedFileRaw(A/W) function, which indicated that this might be another unpatched vector for the PetitPotam attack.
PetitPotam is an NTLM Relay Attack tracked as CVE-2021-36942 that French security researcher GILLES Lionel discovered, aka Topotam, in July.
The PetitPotam attack allowed unauthenticated users to use the EfsRpcOpenFileRaw function of the MS-EFSRPC API to force a device to perform NTLM authentication against attacker-controlled servers.
A demonstration of this attack can be viewed below.
While Microsoft fixed part of the PetitPotam vulnerability in August 2021, there were still unpatched vectors that allowed the bug to be abused by attackers.
When we contacted Microsoft to confirm if the NTLM Relay vector patched this month was related to PetitPotam, they responded with a stock response that did not answer our questions.
“A security update was released in May. Customers who apply the update, or have automatic updates enabled, will be protected. We are continuously improving security for our products and encourage customers to turn on automatic updates to help ensure they are protected.” – a Microsoft spokesperson.
However, BleepingComputer has since confirmed that the recently fixed NTLM Relay Attack bug does, in fact, fix an unpatched vector for the PetitPotam attack.
Raphael John, who Microsoft attributes for the discovery of the new NTLM Relay vulnerability, says that he discovered that PetitPotam was still working when conducting pentests in January and March.
The story behind CVE-2022-26925 is no advanced reverse engineering, but a lucky accident 😉
During my pentests in January and March i saw that PetitPotam worked against the DCs. 1/2
— Raphael (@raphajohnsec) May 11, 2022
However, when he disclosed it to Microsoft, they fixed it under a new CVE rather than the original one assigned to PetitPotam.
“I made it very clear in the report, that it is just PetitPotam and nothing I found out or changed,” Raphael John told BleepingComputer in a conversation.
PetitPotam continued to work after Microsoft fixed it because Topotam discovered a bypass to the August security update and added it to his tool in January 2022.
No they didn’t. The mistake they made was to not fully fix the vuln in the first place . @topotam77 just updated the PoC to match the RPC auth level and type in that time frame (https://t.co/bItINRm7my)
— Charlie Bromberg (Shutdown) (@_nwodtuhs) May 12, 2022
Gilles has confirmed to BleepingComputer that the new security update has now fixed the PetitPotam ‘EfsRpcOpenFileRaw’ vector, but other EFS vectors still exist, allowing the attack to work.
“All functions of petitpotam, as others vectors, still works except efsopenfileraw,” Gilles told BleepingComputer.
As new PetitPotam vectors and other NTML Relay attacks will be discovered in the future, Microsoft suggests that Windows domain admins become familiar with the mitigations outlined in their ‘Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS)’ support document.