Microsoft Windows EFSRPC NTLM Reflection Elevation of Privilege (PetitPotam) (Remote)

medium Nessus Plugin ID 152102

Synopsis

The remote host is affected by an NTLM reflection elevation of privilege vulnerability.

Description

The remote host is affected by an NTLM reflection elevation of privilege vulnerability known as 'PetitPotam'. An unauthenticated, remote attacker can exploit this, by sending a specially-crafted EFSRPC request, to cause the affected host to connect to a malicious server. An attacker can then utilize an NTLM relay to impersonate the target host and authenticate against remote services.

One attack scenario, described within KB5005413, uses this exploit to initiate an NTLM session as a domain controller's machine account. This session is then relayed to an Active Directory Certificate Services (AD CS) host to obtain a certificate. This certificate could be then used to move laterally within the domain environment.

Solution

Apply the updates supplied by the vendor. Optionally, refer to Microsoft's KB5005413 for mitigation guidance. RPC filters may also be implemented to block remote access to the interface UUIDs necessary for this exploit.

See Also

https://github.com/topotam/PetitPotam

https://kb.cert.org/vuls/id/405600

https://msrc.microsoft.com/update-guide/vulnerability/ADV210003

http://www.nessus.org/u?d0ab9e93

Plugin Details

Severity: Medium

ID: 152102

File Name: windows_petitpotam.nbin

Version: 1.44

Type: remote

Agent: windows

Family: Windows

Published: 7/27/2021

Updated: 9/19/2022

Supported Sensors: Nessus Agent

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 4.3

Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N

Temporal Vector: E:H/RL:OF/RC:C

CVSS Score Source: CVE-2021-36942

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Temporal Score: 5.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Temporal Vector: E:H/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:microsoft:windows

Required KB Items: Host/OS

Exploit Available: true

Exploit Ease: Exploits are available

Exploited by Nessus: true

Vulnerability Publication Date: 7/18/2021

CISA Known Exploited Dates: 11/17/2021

Reference Information

CVE: CVE-2021-36942

IAVA: 2021-A-0374-S