Skip to main content

Microsoft NTLM Relay Attacks on Active Directory Certificate Services

Last Update Date: 28 Jul 2021 Release Date: 26 Jul 2021 6580 Views

RISK: High Risk

TYPE: Servers - Other Servers

TYPE: Other Servers

Microsoft is aware of PetitPotam NTLM relay attack on Windows domain controllers Active Directory Certificate Services (AD CS) or other Windows servers. Attackers could exploit the system to trigger remote code execution, elevation of privilege, spoofing and take total control of the domain controller. 

 

Notes:

  • POC tool is publicly available.
  • Update on 28 July 2021 : Added recently published Microsoft KB article on "Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS)" to "Related Links" 

 

 


Impact

  • Remote Code Execution
  • Elevation of Privilege
  • Spoofing

System / Technologies affected

  • Windows Server, version 20H2 (Server Core Installation)
  • Windows Server, version 2004 (Server Core installation)
  • Windows Server 2019  (Server Core installation)
  • Windows Server 2019
  • Windows Server 2016  (Server Core installation)
  • Windows Server 2016
  • Windows Server 2012 R2 (Server Core installation)
  • Windows Server 2012 R2
  • Windows Server 2012 (Server Core installation)
  • Windows Server 2012
  • Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
  • Windows Server 2008 for x64-based Systems Service Pack 2
  • Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
  • Windows Server 2008 for 32-bit Systems Service Pack 2
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1

Solutions

Microsoft has suggested mitigation options to protect customers.

 


Vulnerability Identifier

  • No CVE information is available

Source


Related Link