A privilege escalation vulnerability that affects all versions of Windows and can allow threat actors to gain domain administrator privileges through a relay attack NTLM received unofficial patches after Microsoft labeled it “no it will be solved. “
vulnerability, dubbed RemotePotato0 SentinelOne researchers Antonio Cocomazzi and Andrea Pierini, who found and disclosed it in April 2021, is a zero-day failure (according to Microsoft’s own definition) that has yet to receive a CVE ID after Redmond refused to issue a fix.
It enables attackers to trigger authenticated RPC / DCOM calls and pass NTLM authentication to other protocols, allowing them to elevate privileges to the domain administrator, likely allowing full domain compromise.
“Allows a logged-in low-privilege attacker to launch one of several special-purpose applications in the session of any other user who is also currently logged in to the same computer, and have that application send that user’s NTLM hash to an IP address chosen by the attacker, “Patch co-founder Mitja Kolsek explained in a blog post that shares information about free micro-patches released to block the exploitation of RemotePotato0 on affected servers.
“By intercepting an NTLM hash from a domain administrator, the attacker can create his own request for the domain controller posing as that administrator and take some administrative action, such as adding himself to the domain administrators group.”
While the attackers would have to trick home users with administrator privileges into logging in at the time of attack for successful exploitation.
However, as Kolsek said, this is much easier on Windows Server systems since multiple users are logged in simultaneously, including administrators, eliminating the requirement for social engineering.
Below is a video demonstration of the RemotePotato0 micropatch in action.
Administrators were told to disable NTLM or properly configure servers
The Windows NT (New Technology) LAN Manager Authentication Protocol (NTLM) is used to authenticate remote users and provide session security when requested by application protocols.
Kerberos has replaced NTLM, the current default authentication protocol for domain-connected devices for all Windows 2000 and later versions.
Despite this, NTLM is still in use on Windows servers, allowing attackers to exploit vulnerabilities such as RemotePotato0, designed to bypass NTLM’s relay attack mitigations.
Microsoft told the researchers Windows administrators should disable NTLM or configure your servers to block NTLM relay attacks using Active Directory Certificate Services (AD CS).
The researchers “hope that MS will reconsider its decision not to fix this serious vulnerability,” as RemotePotato0 can be exploited without requiring target interaction when passing authentication to other protocols, as opposed to similar NTLM relay attack techniques that use bugs. What CVE-2020-1113 other CVE-2021-1678.
Free patch available until Microsoft provides one
0patch has developed the micropatches using information shared by Cocomazzi and Pierini in their April 2021 report.
Unofficial patches for RemotePotato0 are available for all versions of Windows from Windows 7 to the latest version of Windows 10 and from Windows Server 2008 to Windows Server 2019.
After starting the agent, the micropatch will be applied automatically without reboot if you have not enabled any custom patching enterprise policy to block it.