2nd 0patch fix for Windows PetitPotam 0-day vulnerability (Aug. 19, 2021)

Windows[German]ecurity researchers had recently disclosed a new attack vector called PetitPotam. By means of an NTLM relay attack, any Windows domain controller can be taken over by attackers. ACROS Security has now presented the second free 0Patch solution for different Windows Server versions, which prevents the exploitation of the vulnerability.


Advertising

The PetitPotam vulnerability

French security researcher Gilles Lionel (alias Topotam) had published a proof of concept (PoC) in July 2021 for exploiting an NTLM relay attack that can take over Windows domain controllers. There is a method to force a domain controller to authenticate to a malicious NTLM relay. This allows then to forward the request over HTTP to a domain's Active Directory certificate services. Ultimately, the attacker obtains a Kerberos ticket (TGT) that could be used to assume the identity of any device on the network, including a domain controller.

I had reported on this scenario in the blog post PetitPotam attack allows Windows domain takeover. There is now a workaround available from Microsoft (see Microsoft Delivers Workaround for Windows PetitPotam NTLM Relay Attacks) and an approach to block the attacks via Netsh filter (see PetitPotam attacks on Windows blocked by RPC filters). A new way to block the vulnerability has now come to my attention from ACROS Security. 

The new 0Patch solution for PetitPotam

The team at ACROS Security, which has been providing the 0Patch solution for years, analyzed the PetitPotam vulnerability and quickly deployed a micropatch to render the vulnerability harmless (see 0patch fix for Windows PetitPotam 0-day vulnerability (Aug. 6, 2021)). Now there is a revised micropatch that blocks more attack vectors. Mitja Kolsek alerted me to this free fix via Twitter.

PetitPotam 0patch fix

The fix is described in more detail in this blog post dated August 6, 2021 by 0patch and was last updated on August 19, 2021. The 0patch micropatches are available free of charge for the following products: 


Advertising

  1. Windows Server 2019 (updated with July 2021 Updates)
  2. Windows Server 2016 (updated with July 2021 Updates)
  3. Windows Server 2012 R2 (updated with July 2021 Updates)
  4. Windows Server 2008 R2 (updated with January 2020 Updates, no Extended Security Updates)

Notes on how the 0patch agent works, which loads the micropatches into memory at the runtime of an application, can be found in the blog posts (such as here).

Similar articles:
PetitPotam attack allows Windows domain takeover
Microsoft's mitigations of Windows PetitPotam NTLM relay attacks
Microsoft Security Update Revisions (July 29, 2021)
PetitPotam attacks on Windows blocked by RPC filters

0patch: Fix for Internet Explorer 0-day vulnerability CVE-2020-0674
0patch: Fix for Windows Installer flaw CVE-2020-0683
0patch fix for Windows GDI+ vulnerability CVE-2020-0881
0-day vulnerability in Windows Adobe Type Library
0patch fixes CVE-2020-0687 in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1048 in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1015 in Windows 7/Server 2008 R2
0patch for 0-day RCE vulnerability in Zoom for Windows
Windows Server 2008 R2: 0patch fixes SIGRed vulnerability
0patch fixes CVE-2020-1113 in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1337 in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1530 in Windows 7/Server 2008 R2
0patch fixes Zerologon (CVE-2020-1472) vulnerability in Windows Server 2008 R2
0patch fixes CVE-2020-1062 in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1300 in Windows 7/Server 2008 R2
0patch fixes 0-day vulnerability in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1013 in Windows 7/Server 2008 R2
0patch fixes a Local Privilege Escalation 0-day in Sysinternals PsExec
0patch fixes Windows Installer 0-day Local Privilege Escalation vulnerability
0patch fixes 0-day in Internet Explorer
0patch fixes CVE-2021-26877 in the DNS server of Windows Server 2008 R2
0patch fixes Windows Installer LPE-Bug (CVE-2021-26415)
0Patch provides support for Windows 10 version 1809 after EOL
Windows 10 V180x: 0Patch fixes IE vulnerability CVE-2021-31959
0Patch Micropatches for PrintNightmare Vulnerability (CVE-2021-34527)
0patch fix for new Windows PrintNightmare 0-day vulnerability (Aug. 5, 2021)
0patch fix for Windows PetitPotam 0-day vulnerability (Aug. 6, 2021)


Cookies helps to fund this blog: Cookie settings
Advertising


##1

This entry was posted in Security, Windows and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *