Free Unofficial Patch for Windows ‘RemotePotato0’ Now Available
Threat Actors Could Abuse It to Trigger a Wave of NTLM Relay Attacks.
An unofficial patch was released for a privilege escalation vulnerability that has an impact on all versions of Windows after Microsoft tagged its status as “won’t fix”. The flaw is located in the Windows RPC Protocol and was dubbed RemotePotato0 by security researchers. If successfully exploited, threat actors could perform an NTLM relay attack that will give them domain admin privileges.
RemotePotato0: Why It Is Dangerous
The privilege escalation flaw was discovered by an expert from Sentinel LABS, by his name Antonio Cocomazzi together with Andrea Pierini, an independent researcher. They named it RemotePotato0 and disclosed it during the month of April last year.
Microsoft defines RemotePotato0 as a zero-day flaw, and a future CVE ID is expected to be assigned to it. By means of this bug, threat actors can trigger authenticated RPC/DCOM calls. It also makes possible the relay of NTLM authentication to other protocols. By doing this, hackers could elevate privileges to domain administrators that could potentially result in the entire compromise of the domain.
Mitja Kolsek, the 0patch co-founder, explained in a blog post that
It allows a logged-in low-privileged attacker to launch one of several special-purpose applications in the session of any other user who is also currently logged in to the same computer, and make that application send said user’s NTLM hash to an IP address chosen by the attacker. (…)Intercepting an NTLM hash from a domain administrator, the attacker can craft their own request for the domain controller pretending to be that administrator and perform some administrative action such as adding themselves to the Domain Administrators group.
It seems that the threat actors have to determine users owning admin privileges to log in during the cyberattack in order to be able to exploit the vulnerability. According to Kolsek, this can be done with ease on the Windows Server system due to the fact that many users are logged at the same time, thus hackers can avoid employing social engineering techniques.
0Patch also shared a video on how RemotePotato0 works:
A Free Unofficial Patch for RemotePotato0
According to Bleeping Computer, Microsoft advised that Windows admins must disable NTLM or perform a server configuration in order to keep NTLM relay attacks away by means of Active Directory Certificate Services (AD CS).
It is known that for the moment Microsoft hasn’t decided to issue a security fix, but experts hope that the company will reconsider this decision because this flaw seems to be different from other NTLM attacks as it permits exploitation without the need of the target’s interaction.
Meanwhile, the 0patch service issued free unofficial patches for this Windows vulnerability. Dubbed micropatches, these work from Windows 7 to the most recent Windows 10 version along with Windows Server 2008 until Windows Server 2019.
How to deploy the micropatch into your system? The first step is to create an account on 0patch, then the next step would be the installing of the 0patch agent. Following the installation of the agent, the patch will work automatically if not prevented by a particular patching policy you’ve set.
Other Mitigation Measures
Back in April 2021 when they published the report on RemotePotato0, the SentinelOne researchers also provided some mitigation measures:
For HTTP(S), you should remove all non-TLS-protected HTTP bindings (prefer SSL everywhere, particularly where NTLM is used) and configure Channel Binding Tokens validation by setting the tokenChecking attribute to a minimum of Allow (if not Require) as documented here. (…) For LDAP, you should set the Domain controller: LDAP server signing requirements Group Policy to Require signature for non-LDAPS LDAP connections as documented here. (…) For SMB, you should configure SMB Signing by setting the Group Policy Digitally sign server communication (always) as documented here.
How Can Heimdal™ Help?
PAM tools play an essential part in the fight against privilege escalation attacks. Choose our Privileged Access Management tool, that will let you create an efficient approval/denial flow of privileged accounts. However, what beats the competition is that, if used together with our Next-Gen Endpoint Antivirus it will automatically deescalate rights on threat detection.