Background
On Tuesday, August 10, 2021, as part of the Microsoft Patch Tuesday release, security updates were made available to address the publicly documented exploit technique PetitPotam, now tracked as CVE-2021-36942. PetitPotam is an exploitation technique that allows for a threat actor within a target network to steal credentials and authentication information from Windows Servers such as a Domain Controller to gain full control of the domain. PetitPotam affects Windows Servers versions 2008, 2012, 2016, and 2019.
CVE ID |
CVSS Score V3 |
CVSS Criticality |
Type |
Description |
CVE-2021-36942 |
Initially 7.5 downgraded to 5.3 later |
High downgraded to Medium later |
Authentication Bypass by Spoofing |
Microsoft Local Security Authority Spoofing |
Analysis
CVE-2021-36942 | Windows LSA Spoofing Vulnerability
This vulnerability is a spoofing vulnerability in Windows Local Security Authority (LSA) which could allow an unauthenticated attacker using New Technology LAN Manager (NTLM) to trick a domain controller into authenticating with another server.
Solutions and Recommendations
Microsoft has stated in their advisory that this patch for PetitPotam can have a potential impact on systems in specific circumstances. The EFS API OpenEncryptedFileRaw(A/W), often used in backup software, continues to work in all versions of Windows, both local and remote, except when backing up to or from a system running Windows Server 2008 SP2. OpenEncryptedFileRaw will no longer work on Windows Server 2008 SP2.
While all Windows Server versions are affected by PetitPotam, we recommend placing a priority focus on patching Domain Controllers ahead of other servers.
Arctic Wolf’s recommendation is to apply the patch for CVE-2021-36942 to prevent PetitPotam exploit scenarios in your environment. Details on how to apply this patch for your specific Windows Server version can be found here:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-36942
References
Learn more about Arctic Wolf’s Managed Risk solution or request a demo today.