0patch fixes RemotePotato0 vulnerability in Windows

[German]The ACROS Security team around founder Mitja Kolsek has just developed a micro-patch to close a Local Privilege Escalation vulnerability of Windows. The patch is available free of charge for all customers with the 0patch agent until Microsoft closes this vulnerability. Here is some information about it.

The RemotePotato0 LPE vulnerability

In April 2021, Sentinel LABS researcher Antonio Cocomazzi and independent security researcher Andrea Pierini had published an article titled Relaying Potatoes: Another Unexpected Privilege Escalation Vulnerability in Windows RPC Protocol. The article described a local privilege escalation vulnerability they found in Windows and reported to Microsoft. I had reported about it in July 2021 in the post RemotePotato0: Privilege Escalation Vulnerability in Windows RPC Protocol.

The vulnerability allows a logged-in attacker with low privileges to launch one of several special applications in another user's session. However, the user must be currently logged on to the same computer, and get that application to send the user's NTLM hash to an IP address chosen by the attacker. If the attacker intercepts an NTLM hash from a domain administrator, he can make his own request to the domain controller impersonating that administrator and perform an administrative action, such as adding himself to the group of domain administrators.

Microsoft decided not to fix this vulnerability because "servers need to defend themselves against NTLM relay attacks." In reality, many servers do not protect themselves against NTLM relay attacks. Since the vulnerability is present in all supported versions of Windows (as well as any unsupported versions that the ACROS Security folks have determined to be security sensitive), the ACROS Security folks have decided to address the vulnerability with a micro-patch.

The 0patch solution for the RemotePotato0 LPE vulnerability

The team at ACROS Security, which has been providing the 0Patch solution for years, analyzed the RPE vulnerability and provided a micropatch to render the vulnerability harmless. Mitja Kolsek drew attention to this solution via Twitter.

The details are described in more detail in this blog post dated January 12, 2022 by 0patch. The 0patch micropatches are available for free to all customers for the following Windows versions.

1. Windows 10 v21H1 32&64 bit updated with December 2021 or January 2022 Updates
2. Windows 10 v20H2 32&64 bit updated with December 2021 or January 2022 Updates
3. Windows 10 v2004 32&64 bit updated with December 2021 or January 2022 Updates
4. Windows 10 v1909 32&64 bit updated with December 2021 or January 2022 Updates
5. Windows 10 v1903 32&64 bit updated with December 2021 or January 2022 Updates
6. Windows 10 v1809 32&64 bit updated with May 2021 Updates
7. Windows 10 v1803 32&64 bit updated with May 2021 Updates
8. Windows 7 32&64 bit updated with January 2020 Updates (no ESU)
9. Windows 7 32&64 bit updated with January 2021 Updates (year 1 of ESU)
10. Windows 7 32&64 bit updated with December 2021 or January 2022 Updates (year 2 of ESU)
11. Windows Server 2019 64 bit updated with December 2021 or January 2022 Updates
12. Windows Server 2016 64 bit updated with December 2021 or January 2022 Updates
13. Windows Server 2012 R2 64 bit updated with December 2021 or January 2022 Updates
14. Windows Server 2012 64 bit updated with December 2021 or January 2022 Updates
15. Windows Server 2008 R2 64 bit updated with January 2020 Updates (no ESU)
16. Windows Server 2008 R2 64 bit updated with January 2021 Updates (year 1 of ESU)
17. Windows Server 2008 R2 64 bit updated with January 2022 Updates (year 2 of ESU)
18. Windows Server 2008 64 bit updated with January 2020 Updates

In this tweet one user reports minor problems with the Hello PIN entry in Windows. Notes on how the 0patch agent, which loads micropatches into memory at an application's runtime, works can be found in blog posts (such as here). 

Similar articles
0patch: Fix for Internet Explorer 0-day vulnerability CVE-2020-0674
0patch: Fix for Windows Installer flaw CVE-2020-0683
0patch fix for Windows GDI+ vulnerability CVE-2020-0881
0-day vulnerability in Windows Adobe Type Library
0patch fixes CVE-2020-0687 in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1048 in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1015 in Windows 7/Server 2008 R2
0patch for 0-day RCE vulnerability in Zoom for Windows
Windows Server 2008 R2: 0patch fixes SIGRed vulnerability
0patch fixes CVE-2020-1113 in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1337 in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1530 in Windows 7/Server 2008 R2
0patch fixes Zerologon (CVE-2020-1472) vulnerability in Windows Server 2008 R2
0patch fixes CVE-2020-1062 in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1300 in Windows 7/Server 2008 R2
0patch fixes 0-day vulnerability in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1013 in Windows 7/Server 2008 R2
0patch fixes a Local Privilege Escalation 0-day in Sysinternals PsExec
0patch fixes Windows Installer 0-day Local Privilege Escalation vulnerability
0patch fixes 0-day in Internet Explorer
0patch fixes CVE-2021-26877 in the DNS server of Windows Server 2008 R2
0patch fixes Windows Installer LPE-Bug (CVE-2021-26415)
0Patch provides support for Windows 10 version 1809 after EOL
Windows 10 V180x: 0Patch fixes IE vulnerability CVE-2021-31959
0Patch Micropatches for PrintNightmare Vulnerability (CVE-2021-34527)
0patch fix for new Windows PrintNightmare 0-day vulnerability (Aug. 5, 2021)
0patch fix for Windows PetitPotam 0-day vulnerability (Aug. 6, 2021)
2nd 0patch fix for Windows PetitPotam 0-day vulnerability (Aug. 19, 2021)
Windows 10: 0patch fix for MSHTML vulnerability (CVE-2021-40444)
0patch fixes LPE Vulnerability (CVE-2021-34484) in Windows User Profile Service
0patch fixes LPE vulnerability (CVE-2021-24084) in Mobile Device Management Service
0patch fixes InstallerTakeOver LPE 0-day vulnerability in Windows
0patch fixes ms-officecmd RCE vulnerability in Windows