Security News > 2022 > January > Windows 'RemotePotato0' zero-day gets an unofficial patch
A privilege escalation vulnerability impacting all Windows versions that can let threat actors gain domain admin privileges through an NTLM relay attack has received unofficial patches after Microsoft tagged it as "Won't fix."
Kerberos has superseded NTLM, the current default auth protocol for domain-connected devices for all Windows 2000 and later.
Despite this, NTLM is still in use on Windows servers, allowing attackers to exploit vulnerabilities like RemotePotato0 designed to bypass NTLM relay attack mitigations.
Microsoft told the researchers that Windows admins should either disable NTLM or configure their servers to block NTLM relay attacks using Active Directory Certificate Services.
The researchers "Hope that MS reconsider their decision not to fix this serious vulnerability" since RemotePotato0 can be exploited without requiring the target's interaction by relaying authentication to other protocols, unlike similar NTLM relay attack techniques using bugs like CVE-2020-1113 and CVE-2021-1678.
The unofficial patches for RemotePotato0 are available for all Windows versions from Windows 7 to the latest Windows 10 version and from Windows Server 2008 to Windows Server 2019.
News URL
Related news
- March 2024 Patch Tuesday: Microsoft fixes critical bugs in Windows Hyper-V (source)
- Microsoft fixes two Windows zero-days exploited in malware attacks (source)
- Microsoft Fixes 149 Flaws in Huge April Patch Release, Zero-Days Included (source)
- Telegram fixes Windows app zero-day caused by file extension typo (source)
- Telegram fixes Windows app zero-day used to launch Python scripts (source)
- CrushFTP warns users to patch exploited zero-day “immediately” (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2021-01-12 | CVE-2021-1678 | Unspecified vulnerability in Microsoft products Windows Print Spooler Spoofing Vulnerability | 8.8 |
2020-05-21 | CVE-2020-1113 | Improper Certificate Validation vulnerability in Microsoft products A security feature bypass vulnerability exists in Microsoft Windows when the Task Scheduler service fails to properly verify client connections over RPC, aka 'Windows Task Scheduler Security Feature Bypass Vulnerability'. | 9.3 |