Microsoft NTLM Relay Attacks on Active Directory Certificate Services
Last Update Date:
28 Jul 2021
Release Date:
26 Jul 2021
7838
Views
RISK: High Risk
TYPE: Servers - Other Servers
Microsoft is aware of PetitPotam NTLM relay attack on Windows domain controllers Active Directory Certificate Services (AD CS) or other Windows servers. Attackers could exploit the system to trigger remote code execution, elevation of privilege, spoofing and take total control of the domain controller.
Notes:
- POC tool is publicly available.
- Update on 28 July 2021 : Added recently published Microsoft KB article on "Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS)" to "Related Links"
Impact
- Remote Code Execution
- Elevation of Privilege
- Spoofing
System / Technologies affected
- Windows Server, version 20H2 (Server Core Installation)
- Windows Server, version 2004 (Server Core installation)
- Windows Server 2019 (Server Core installation)
- Windows Server 2019
- Windows Server 2016 (Server Core installation)
- Windows Server 2016
- Windows Server 2012 R2 (Server Core installation)
- Windows Server 2012 R2
- Windows Server 2012 (Server Core installation)
- Windows Server 2012
- Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
- Windows Server 2008 for x64-based Systems Service Pack 2
- Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
- Windows Server 2008 for 32-bit Systems Service Pack 2
- Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
- Windows Server 2008 R2 for x64-based Systems Service Pack 1
Solutions
Microsoft has suggested mitigation options to protect customers.
Vulnerability Identifier
- No CVE information is available
Source
Related Link
Share with