Security News > 2021 > August > New unofficial Windows patch fixes more PetitPotam attack vectors
A second unofficial patch for the Windows PetitPotam NTLM relay attack has been released to fix further issues not addressed by Microsoft's official security update.
In July, security researcher GILLES Lionel, aka Topotam, disclosed a new technique called 'PetitPotam' that performs unauthenticated forced authentication on domain controllers using various functions in the MS-EFSRPC API. Microsoft's security update is not complete.
Due to the critical nature of this attack, Microsoft released a security update as part of the August 2021 Patch Tuesday that attempted to fix the PetitPotam vulnerability, tracked as CVE-2021-36942.
Windows Server 2012 R2. Windows Server 2008 R2. With this micropatch, the functions are blocked in both the LSARPC and EFSRPC named pipes and can no longer be exploited as part of an NTLM relay attack.
"What we did was patch just one function that is called from all these and is responsible for sending System's credentials to attacker's endpoint," 0patch cofounder Mitja Kolsek told BleepingComputer.
For those who wish to wait for a possible official patch from Microsoft, you can also defend against PetitPotam attacks using NETSH RPC filters that block remote access to the MS-EFSRPC API..
News URL
Related news
- JPCERT shares Windows Event Log tips to detect ransomware attacks (source)
- Exploit released for new Windows Server "WinReg" NTLM Relay attack (source)
- Emergency patch: Cisco fixes bug under exploit in brute-force attacks (source)
- Windows infected with backdoored Linux VMs in new phishing attacks (source)
- Microsoft patches Windows zero-day exploited in attacks on Ukraine (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-08-12 | CVE-2021-36942 | Unspecified vulnerability in Microsoft products Windows LSA Spoofing Vulnerability | 7.5 |