SB2021072402 - NTLM relay attacks on Active Directory Certificate Services (AD CS)

Description

This security bulletin contains information about 1 security vulnerability.

1) Authentication bypass by capture-replay (CVE-ID: N/A)

The vulnerability allows a remote attacker to bypass authentication.

The vulnerability exists due to weakness in NTLM authentication. A remote attacker cab perform NTLM relay attack to bypass authentication process and gain unauthorized access to the system.

This bulletin is related to software release named PetitPotam that demonstrates exploitation of such NTLM weakness.

You are potentially vulnerable to this attack if NTLM authentication is enabled in your domain and you are using Active Directory Certificate Services (AD CS) with any of the following services:

• Certificate Authority Web Enrollment
• Certificate Enrollment Web Service

Remediation

Cybersecurity Help is not aware of any official remediation provided by the vendor.

References

• https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV210003
• https://github.com/topotam/PetitPotam