The remote host is affected by an NTLM reflection elevation of privilege vulnerability known as 'PetitPotam'. An unauthenticated, remote attacker can exploit this, by sending a specially-crafted EFSRPC request, to cause the affected host to connect to a malicious server. An attacker can then utilize an NTLM relay to impersonate the target host and authenticate against remote services.
One attack scenario, described within KB5005413, uses this exploit to initiate an NTLM session as a domain controller's machine account. This session is then relayed to an Active Directory Certificate Services (AD CS) host to obtain a certificate. This certificate could be then used to move laterally within the domain environment.
{"id": "WINDOWS_PETITPOTAM.NBIN", "vendorId": null, "type": "nessus", "bulletinFamily": "scanner", "title": "Microsoft Windows EFSRPC NTLM Reflection Elevation of Privilege (PetitPotam) (Remote)", "description": "The remote host is affected by an NTLM reflection elevation of privilege vulnerability known as 'PetitPotam'. An unauthenticated, remote attacker can exploit this, by sending a specially-crafted EFSRPC request, to cause the affected host to connect to a malicious server. An attacker can then utilize an NTLM relay to impersonate the target host and authenticate against remote services.\n\nOne attack scenario, described within KB5005413, uses this exploit to initiate an NTLM session as a domain controller's machine account. This session is then relayed to an Active Directory Certificate Services (AD CS) host to obtain a certificate. This certificate could be then used to move laterally within the domain environment.", "published": "2021-07-27T00:00:00", "modified": "2023-05-31T00:00:00", "epss": [], "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://www.tenable.com/plugins/nessus/152102", "reporter": "This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["https://msrc.microsoft.com/update-guide/vulnerability/ADV210003", "http://www.nessus.org/u?d0ab9e93", "https://kb.cert.org/vuls/id/405600", "https://github.com/topotam/PetitPotam", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36942"], "cvelist": [], "immutableFields": [], "lastseen": "2023-06-01T14:29:40", "viewCount": 665, "enchantments": {"dependencies": {"references": []}, "score": {"value": 2.1, "vector": "NONE"}, "backreferences": {"references": [{"type": "attackerkb", "idList": ["AKB:1196BAF9-A467-480D-A40C-F3E93D5888D6"]}, {"type": "avleonov", "idList": ["AVLEONOV:3530747E605445686B7211B2B0853579"]}, {"type": "cert", "idList": ["VU:405600"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2021-0487"]}, {"type": "cisa", "idList": ["CISA:1AD0E0C2A1CB165DDD5F6A0F4C21101D"]}, {"type": "cve", "idList": ["CVE-2021-36942"]}, {"type": "googleprojectzero", "idList": ["GOOGLEPROJECTZERO:3A510C521DE8145372456D2B0FE8C8E5"]}, {"type": "hivepro", "idList": ["HIVEPRO:1BBAC0CD5F3681EC49D06BE85DC90A92", "HIVEPRO:C0B03D521C5882F1BE07ECF1550A5F74"]}, {"type": "kaspersky", "idList": ["KLA12250", "KLA12259"]}, {"type": "mscve", "idList": ["MS:CVE-2021-36942"]}, {"type": "mskb", "idList": ["KB5005033"]}, {"type": "nessus", "idList": ["SMB_NT_MS21_AUG_5005043.NASL"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0F0ACCA731E84F3B1067935E483FC950"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:03B1EB65D8A7CFE486943E2472225BA1", "RAPID7BLOG:5CDF95FB2AC31414FD390E0E0A47E057", "RAPID7BLOG:D9E3C0B84D67BD0A26DEAD5F6F4EAAC4", "RAPID7BLOG:DE426F8A59CA497BB6C0B90C0F1849CD"]}, {"type": "thn", "idList": ["THN:F601EBBE359B3547B8E79F0217562FEF"]}, {"type": "threatpost", "idList": ["THREATPOST:8D4EA8B0593FD44763915E703BC9AB72"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2021-36942", "epss": 0.88993, "percentile": 0.98165, "modified": "2023-05-07"}], "vulnersScore": 2.1}, "_state": {"dependencies": 1685635868, "score": 1685629957, "epss": 0}, "_internal": {"score_hash": "55f387f1786c6ac58b76d230be943372"}, "pluginID": "152102", "sourceData": "Binary data windows_petitpotam.nbin", "naslFamily": "Windows", "cpe": ["cpe:/o:microsoft:windows"], "solution": "Apply the updates supplied by the vendor. Optionally, refer to Microsoft's KB5005413 for mitigation guidance. RPC filters may also be implemented to block remote access to the interface UUIDs necessary for this exploit.", "nessusSeverity": "Medium", "cvssScoreSource": "CVE-2021-36942", "vendor_cvss2": {"score": 5, "vector": "CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N"}, "vendor_cvss3": {"score": 5.3, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}, "vpr": {"risk factor": "Medium", "score": "4.9"}, "exploitAvailable": true, "exploitEase": "Exploits are available", "patchPublicationDate": null, "vulnerabilityPublicationDate": "2021-07-18T00:00:00", "exploitableWith": []}
Microsoft Windows EFSRPC NTLM Reflection Elevation of Privilege (PetitPotam) (Remote)