PetitPotam & SeriousSAM
Date of Notice:07/27/2021
Action Level - HIGH
Description
MCNC would like to make you aware of two HIGH severity Windows vulnerabilities that should be mitigated immediately; at this time Microsoft hasn’t released a patch.
The first is PetitPotam, a NTLM attack which can permit an attacker to potentially take over a Windows Domain Controller or other Windows Server. Microsoft’s Advisory is linked here.
The second is SeriousSAM, also called HiveNightmare. This is tracked by CVE-2021-36934 and permits an attacker to gain access to hashed credentials on a Windows Server device. Microsoft’s Advisory is linked here.
Affected Devices
PetitPotam
- Windows Server 2008 and newer with Active Directory Certificate Services (AD CS) AND Certificate Authority Web Enrollment OR Certificate Enrollment Web Service
CVE-2021-36934 / SeriousSAM / HiveNightmare
- Windows 1809 and newer
- Windows Server 2019 and newer
Attack Vector
PetitPotam
Attackers with network access to impacted devices.
CVE-2021-36934 / SeriousSAM / HiveNightmare
Any attacker must be able to execute code on a vulnerable device.
Attack Feasibility
PetitPotam
This has been publicly disclosed and is likely to be exploited in the future, Microsoft has not found any indication of it being actively exploited.
CVE-2021-36934 / SeriousSAM / HiveNightmare
This has been publicly disclosed and is likely to be exploited in the future, Microsoft has not found any indication of it being actively exploited.
Mitigations
PetitPotam
Follow the workarounds section in the Microsoft KB to disable or harden NTLM
CVE-2021-36934 / SeriousSAM / HiveNightmare
Microsoft details the workaround in their Advisory. In short you correct the permissions issue and delete shadow copies. NOTE: Deleting shadow copies is a common Ransomware tactic and your A/V may trigger on this event.
Remediation
Microsoft has yet to release a patch for either of these vulnerabilities.