Microsoft silently fixed previously disclosed ‘ShadowCoerce’ vulnerability on June 14, 2022, as part of the monthly ‘Patch Tuesday’. The flaw allowed threat actors to launch NTLM relay attacks on Windows servers by abusing Microsoft's File Server Remote VSS Protocol (MS-FSRVP).
‘ShadowCoerce’ was mitigated along with CVE-2022-30154, which affected the same component. CVE-2022-30154 is a privilege escalation vulnerability in Microsoft File Server Shadow Copy Agent Service (RVSS).
Despite patching the flaw, Microsoft hasn’t provided any details about it and assigned a CVE ID yet.
Using ‘ShadowCoerce’, an attacker could force the Active Directory to authenticate a server under attacker’s control. In turn, this could lead to a complete takeover of the domain. This type of attack is called ‘NTLM relay attack’.
The ‘ShadowCoerce’ attack works similar to previously uncovered ‘PetitPotam’ and ‘PrinterBug’ attacks. These attacks abuse Microsoft’s Encrypting File System Remote Protocol (MS-EFSRPC) and Print System Remote Protocol (MS-RPRN), respectively.
In December 2021, security researcher Lionel Gilles published a proof-of-concept exploit for ‘ShadowCoerce’. As in case with other MS-RPC abuses, this attack works by using a specific method relying on remote UNC paths, namely on IsPathSupported and IsPathShadowCopied.
Successful exploitation of this bug is possible only on systems with the File Server VSS Agent Service enabled. Furthermore, NTLM relay attacks require a network to already be compromised by an attacker.