Security News > 2022 > May > New Windows PetitPotam NTLM Relay attack vector fixed in May updates
A recent security update for a Windows NTLM Relay Attack has been confirmed to be a previously unfixed vector for the PetitPotam attack.
PetitPotam is an NTLM Relay Attack tracked as CVE-2021-36942 that French security researcher GILLES Lionel discovered, aka Topotam, in July.
BleepingComputer has since confirmed that the recently fixed NTLM Relay Attack bug does fix an unpatched vector for the PetitPotam attack.
Raphael John, who Microsoft attributes for the discovery of the new NTLM Relay vulnerability, says that he discovered that PetitPotam was still working when conducting pentests in January and March.
Gilles has confirmed to BleepingComputer that the new security update has now fixed the PetitPotam 'EfsRpcOpenFileRaw' vector, but other EFS vectors still exist, allowing the attack to work.
As new PetitPotam vectors and other NTML Relay attacks will be discovered in the future, Microsoft suggests that Windows domain admins become familiar with the mitigations outlined in their 'Mitigating NTLM Relay Attacks on Active Directory Certificate Services' support document.
- Microsoft fixes new PetitPotam Windows NTLM Relay attack vector (source)
- New DFSCoerce NTLM Relay attack allows Windows domain takeover (source)
- New NTLM Relay Attack Lets Attackers Take Control Over Windows Domain (source)
- Microsoft fixes new NTLM relay zero-day in all Windows versions (source)
- Microsoft patches Windows LSA spoofing zero-day under active attack (CVE-2022-26925) (source)
- Hackers have carried out over 65,000 attacks through Windows’ Print Spooler exploit (source)
- Microsoft closes Windows LSA hole under active attack (source)
- Microsoft shares mitigation for Windows KrbRelayUp LPE attacks (source)
- Windows zero-day exploited in US local govt phishing attacks (source)
- Qbot malware now uses Windows MSDT zero-day in phishing attacks (source)
|2021-08-12||CVE-2021-36942|| Authentication Bypass by Spoofing vulnerability in Microsoft products |
Windows LSA Spoofing Vulnerability
| 5.0 |