Security News > 2021 > August > Windows PetitPotam vulnerability gets an unofficial free patch
A free unofficial patch is now available to block attackers from taking over domain controllers and compromising entire Windows domains via PetitPotam NTLM relay attacks.
The PetitPotam attack vector that forces Windows machines to authenticate against threat actors' malicious NTLM relay servers using the Microsoft Encrypting File System Remote Protocol was disclosed last month by security researcher Gilles Lionel.
Using this attack method, threat actors can completely take over Windows domains, allowing them to push new group policies and deploying malware on all endpoints.
While Microsoft's advisory is designed to help prevent NTLM relay attacks, it does not provide any guidance on how to actually block PetitPotam, which could also be used as a vector for other attacks such as NTLMv1 downgrades.
Windows Server 2012 R2. Windows Server 2008 R2. No micropatch was issued for Windows Server 2012, Windows Server 2008, and Windows Server 2003 because, based on 0patch's analysis, these releases are not impacted by PetitPotam.
If you can't immediately deploy one of these temporary patches, you can also defend against PetitPotam attacks using NETSH RPC filters that block remote access to the MS-EFSRPC API, effectively removing the unauthenticated PetitPotam attack vector.
News URL
Related news
- Week in review: Critical Zimbra RCE vulnerability exploited, Patch Tuesday forecast (source)
- Researchers Uncover OS Downgrade Vulnerability Targeting Microsoft Windows Kernel (source)
- Patching problems: The “return” of a Windows Themes spoofing vulnerability (source)
- Cisco Releases Patch for Critical URWB Vulnerability in Industrial Wireless Systems (source)
- PAN-OS Firewall Vulnerability Under Active Exploitation – IoCs and Patch Released (source)