Windows Local Security Authority (LSA) Spoofing Vulnerability “PetitPotam”

Share :

Background

On Tuesday, August 10, 2021, as part of the Microsoft Patch Tuesday release, security updates were made available to address the publicly documented exploit technique PetitPotam, now tracked as CVE-2021-36942. PetitPotam is an exploitation technique that allows for a threat actor within a target network to steal credentials and authentication information from Windows Servers such as a Domain Controller to gain full control of the domain. PetitPotam affects Windows Servers versions 2008, 2012, 2016, and 2019.

CVE ID

CVSS Score V3

CVSS Criticality

Type

Description

CVE-2021-36942

Initially 7.5 downgraded to 5.3 later

High downgraded to Medium later

Authentication Bypass by Spoofing

Microsoft Local Security Authority Spoofing

Analysis

CVE-2021-36942 | Windows LSA Spoofing Vulnerability

This vulnerability is a spoofing vulnerability in Windows Local Security Authority (LSA) which could allow an unauthenticated attacker using New Technology LAN Manager (NTLM) to trick a domain controller into authenticating with another server.

Solutions and Recommendations

Microsoft has stated in their advisory that this patch for PetitPotam can have a potential impact on systems in specific circumstances. The EFS API OpenEncryptedFileRaw(A/W), often used in backup software, continues to work in all versions of Windows, both local and remote, except when backing up to or from a system running Windows Server 2008 SP2. OpenEncryptedFileRaw will no longer work on Windows Server 2008 SP2.

While all Windows Server versions are affected by PetitPotam, we recommend placing a priority focus on patching Domain Controllers ahead of other servers.

Arctic Wolf’s recommendation is to apply the patch for CVE-2021-36942 to prevent PetitPotam exploit scenarios in your environment. Details on how to apply this patch for your specific Windows Server version can be found here:

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-36942

References

Learn more about Arctic Wolf’s Managed Risk solution or request a demo today.

Adrian Korn

Adrian Korn

Adrian Korn is a seasoned cyber security professional with 7+ years' experience in cyber threat intelligence, threat detection, and security operations. He currently serves as the Manager of Threat Intelligence Research at Arctic Wolf Labs. Adrian has been a guest speaker on intelligence related topics at numerous conferences around the world, including DEF CON's Recon Village, Hackfest, and the Australian OSINT Symposium.
Share :
Table of Contents
Categories