Microsoft announced that as part of the June “Tuesday updates” it fixed the previously disclosed ShadowCoerce vulnerability, which allowed hackers to attack Windows servers using NTLM relay attacks (relay attack). Such attacks can be used to force authentication and take over the Windows domain.
According to Bleeping Computer, citing a Microsoft representative, there have been no public statements regarding the ShadowCoerce problem yet, but the risks from the PoC exploit of the same name were mitigated with a patch for the CVE-2022-30154 vulnerability, which affected the same component.
Journalists recall that the ShadowCoerce problem was discovered and described in 2021 by French researcher Gilles Lionel, when he disclosed information about the PetitPotam vulnerability. As the expert wrote at the time, this attack method allowed forced authentication only through MS-FSRVP (File Server Remote VSS Protocol) on systems with the File Server VSS Agent Service enabled.
By the way, let me remind you that we talked about the fact that Researchers published an unofficial patch for the PetitPotam vulnerability.
However, Lionel demonstrated that the protocol is also vulnerable to NTLM relay attacks, which can force a domain controller to authenticate to a malicious NTLM relay that is under the control of a hacker. The malicious server then relays the authentication request to the domain’s Active Directory Certificate Services (AD CS) to obtain the Kerberos TGT, and this allows it to impersonate any network device, including the Windows domain controller itself.
Mitya Kolsek
The “silent” fix of the ShadowCoerce bug was noticed by the head of ACROS Security, Mitya Kolsek, when he studied the problem with the 0Patch team, planning to release an unofficial patch for it. That is, it turned out that Microsoft fixed the vulnerability, but so far has not published any details and it has not even assigned a CVE identifier to the vulnerability.
The incident prompted security companies and independent researchers to publicly approach Microsoft (1, 2, 3, 4) and demand more transparency from the company and include more detailed information about fixes in security bulletins.
