MCNC continues to work to restore services in Western NC after Hurricane Helene. We have included options for helping those in need here: Hurricane Helene
07.27.2021

PetitPotam & SeriousSAM

Alert
  • facebook share link
  • twitter share link
  • linkedin share link
  • mail share link

Date of Notice:07/27/2021

Action Level - HIGH

Description

MCNC would like to make you aware of two HIGH severity Windows vulnerabilities that should be mitigated immediately; at this time Microsoft hasn’t released a patch.

The first is PetitPotam, a NTLM attack which can permit an attacker to potentially take over a Windows Domain Controller or other Windows Server. Microsoft’s Advisory is linked here.

The second is SeriousSAM, also called HiveNightmare. This is tracked by CVE-2021-36934 and permits an attacker to gain access to hashed credentials on a Windows Server device. Microsoft’s Advisory is linked here.

Affected Devices

PetitPotam

  • Windows Server 2008 and newer with Active Directory Certificate Services (AD CS) AND Certificate Authority Web Enrollment OR Certificate Enrollment Web Service

CVE-2021-36934 / SeriousSAM / HiveNightmare

  • Windows 1809 and newer
  • Windows Server 2019 and newer

Attack Vector

PetitPotam

Attackers with network access to impacted devices.

CVE-2021-36934 / SeriousSAM / HiveNightmare

Any attacker must be able to execute code on a vulnerable device.

Attack Feasibility

PetitPotam

This has been publicly disclosed and is likely to be exploited in the future, Microsoft has not found any indication of it being actively exploited.

CVE-2021-36934 / SeriousSAM / HiveNightmare

This has been publicly disclosed and is likely to be exploited in the future, Microsoft has not found any indication of it being actively exploited.

Mitigations

PetitPotam

Follow the workarounds section in the Microsoft KB to disable or harden NTLM

CVE-2021-36934 / SeriousSAM / HiveNightmare

Microsoft details the workaround in their Advisory. In short you correct the permissions issue and delete shadow copies. NOTE: Deleting shadow copies is a common Ransomware tactic and your A/V may trigger on this event.

Remediation

Microsoft has yet to release a patch for either of these vulnerabilities.

MCNC
PO Box 12889
3021 East Cornwallis Road
RTP, NC 27709-2889
919-248-1900 Phone | 919-248-1101 Fax
Connect With Us
  • linkedin
  • instagram
  • x
  • facebook
  • youtube
© 2024 MCNC