Security News > 2021 > August > Windows PetitPotam vulnerability gets an unofficial free patch
A free unofficial patch is now available to block attackers from taking over domain controllers and compromising entire Windows domains via PetitPotam NTLM relay attacks.
The PetitPotam attack vector that forces Windows machines to authenticate against threat actors' malicious NTLM relay servers using the Microsoft Encrypting File System Remote Protocol was disclosed last month by security researcher Gilles Lionel.
Using this attack method, threat actors can completely take over Windows domains, allowing them to push new group policies and deploying malware on all endpoints.
While Microsoft's advisory is designed to help prevent NTLM relay attacks, it does not provide any guidance on how to actually block PetitPotam, which could also be used as a vector for other attacks such as NTLMv1 downgrades.
Windows Server 2012 R2. Windows Server 2008 R2. No micropatch was issued for Windows Server 2012, Windows Server 2008, and Windows Server 2003 because, based on 0patch's analysis, these releases are not impacted by PetitPotam.
If you can't immediately deploy one of these temporary patches, you can also defend against PetitPotam attacks using NETSH RPC filters that block remote access to the MS-EFSRPC API, effectively removing the unauthenticated PetitPotam attack vector.
News URL
Related news
- Veeam Issues Patch for Critical RCE Vulnerability in Service Provider Console (source)
- Microsoft says premature patch could make Windows Recall forget how to work (source)
- New Windows zero-day exposes NTLM credentials, gets unofficial patch (source)
- Cleo File Transfer Vulnerability Under Exploitation – Patch Pending, Mitigation Urged (source)
- Microsoft Fixes 72 Flaws, Including Patch for Actively Exploited CLFS Vulnerability (source)
- Patch Tuesday: Microsoft Patches One Actively Exploited Vulnerability, Among Others (source)
- BeyondTrust Issues Urgent Patch for Critical Vulnerability in PRA and RS Products (source)
- Critical SQL Injection Vulnerability in Apache Traffic Control Rated 9.9 CVSS — Patch Now (source)
- Windows Patch Tuesday hits snag with Citrix software, workarounds published (source)