07.27.2021

PetitPotam & SeriousSAM

MCNC Admin Avatar
By MCNC Admin
  • facebook share link
  • twitter share link
  • linkedin share link
  • mail share link

Date of Notice:07/27/2021

Action Level - HIGH

Description

MCNC would like to make you aware of two HIGH severity Windows vulnerabilities that should be mitigated immediately; at this time Microsoft hasn’t released a patch.

The first is PetitPotam, a NTLM attack which can permit an attacker to potentially take over a Windows Domain Controller or other Windows Server. Microsoft’s Advisory is linked here.

The second is SeriousSAM, also called HiveNightmare. This is tracked by CVE-2021-36934 and permits an attacker to gain access to hashed credentials on a Windows Server device. Microsoft’s Advisory is linked here.

Affected Devices

PetitPotam

  • Windows Server 2008 and newer with Active Directory Certificate Services (AD CS) AND Certificate Authority Web Enrollment OR Certificate Enrollment Web Service

CVE-2021-36934 / SeriousSAM / HiveNightmare

  • Windows 1809 and newer
  • Windows Server 2019 and newer

Attack Vector

PetitPotam

Attackers with network access to impacted devices.

CVE-2021-36934 / SeriousSAM / HiveNightmare

Any attacker must be able to execute code on a vulnerable device.

Attack Feasibility

PetitPotam

This has been publicly disclosed and is likely to be exploited in the future, Microsoft has not found any indication of it being actively exploited.

CVE-2021-36934 / SeriousSAM / HiveNightmare

This has been publicly disclosed and is likely to be exploited in the future, Microsoft has not found any indication of it being actively exploited.

Mitigations

PetitPotam

Follow the workarounds section in the Microsoft KB to disable or harden NTLM

CVE-2021-36934 / SeriousSAM / HiveNightmare

Microsoft details the workaround in their Advisory. In short you correct the permissions issue and delete shadow copies. NOTE: Deleting shadow copies is a common Ransomware tactic and your A/V may trigger on this event.

Remediation

Microsoft has yet to release a patch for either of these vulnerabilities.

<-- Return to Cybersecurity Alerts...

MCNC Admin
MCNC Admin
MCNC
PO Box 12889
3021 East Cornwallis Road
RTP, NC 27709-2889
919-248-1900 Phone | 919-248-1101 Fax
Connect With Uslinkedintwitterfacebookyoutube
© 2021 MCNC