Certificate Services Vulnerability – July 2021

The PetitPotam attack takes advantage of environments where Active Directory Certificate Services (AD CS) is not configured with protections for NTLM Relay Attacks; this can lead to takeover of domain controllers, and ultimately the entire domain. You will be vulnerable if using:

Certificate Authority Web Enrolment (set of web pages that allow an admin to interactively copy and paste in certificate requests and generate of certificates)

Certificate Enrolment Web Service (facilitates certificate automation for users/clients outside of domain or cannot contact the domain e.g. a DMZ)

The details are in the following Microsoft Article

https://msrc.microsoft.com/update-guide/vulnerability/ADV210003

The mitigations for this attack are outlined in the following Microsoft article:

https://support.microsoft.com/en-gb/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429

(consider also removing the above components completely if they are enabled but unused)

About the author