Security News > 2022 > January > Windows 'RemotePotato0' zero-day gets an unofficial patch

Windows 'RemotePotato0' zero-day gets an unofficial patch
2022-01-13 17:31

A privilege escalation vulnerability impacting all Windows versions that can let threat actors gain domain admin privileges through an NTLM relay attack has received unofficial patches after Microsoft tagged it as "Won't fix."

Kerberos has superseded NTLM, the current default auth protocol for domain-connected devices for all Windows 2000 and later.

Despite this, NTLM is still in use on Windows servers, allowing attackers to exploit vulnerabilities like RemotePotato0 designed to bypass NTLM relay attack mitigations.

Microsoft told the researchers that Windows admins should either disable NTLM or configure their servers to block NTLM relay attacks using Active Directory Certificate Services.

The researchers "Hope that MS reconsider their decision not to fix this serious vulnerability" since RemotePotato0 can be exploited without requiring the target's interaction by relaying authentication to other protocols, unlike similar NTLM relay attack techniques using bugs like CVE-2020-1113 and CVE-2021-1678.

The unofficial patches for RemotePotato0 are available for all Windows versions from Windows 7 to the latest Windows 10 version and from Windows Server 2008 to Windows Server 2019.


News URL

https://www.bleepingcomputer.com/news/security/windows-remotepotato0-zero-day-gets-an-unofficial-patch/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2021-01-12 CVE-2021-1678 Unspecified vulnerability in Microsoft products
Windows Print Spooler Spoofing Vulnerability
0.0
2020-05-21 CVE-2020-1113 Improper Certificate Validation vulnerability in Microsoft products
A security feature bypass vulnerability exists in Microsoft Windows when the Task Scheduler service fails to properly verify client connections over RPC, aka 'Windows Task Scheduler Security Feature Bypass Vulnerability'.
network
high complexity
microsoft CWE-295
7.5