A new 0-Day security vulnerability affecting all prevalent versions of Windows Operating System, has received multiple unofficial patches. The vulnerability, dubbed “RemotePotato0”, can allow potential attackers to elevate their access level, essentially granting them domain admin rights.
The RemotePotato0 was first discovered by SentinelOne researchers Antonio Cocomazzi and Andrea Pierini. The duo disclosed the flaw to Microsoft in April 2021. Microsoft has acknowledged the vulnerability as a 0-Day flaw. However, the bug hasn’t received a CVE ID, reportedly because Microsoft refused to fix the same.
The RemotePotato0 relies on an NTLM relay attack. It allows attackers to trigger authenticated RPC/DCOM calls. By successfully relaying the NTLM authentication to other protocols, attackers can grant themselves elevated privileges on the targeted domain, essentially making them domain administrator.
0patch co-founder Mitja Kolsek has explained the flaw, and even shared unofficial patches to block RemotePotato0 exploitation on impacted servers.
“It allows a logged-in low-privileged attacker to launch one of several special-purpose applications in the session of any other user who is also currently logged in to the same computer, and make that application send said user's NTLM hash to an IP address chosen by the attacker. Intercepting an NTLM hash from a domain administrator, the attacker can craft their own request for the domain controller pretending to be that administrator and perform some administrative action such as adding themselves to the Domain Administrators group.”
NTLM (Windows NT LAN Manager) authentication protocol is old, and Kerberos has already succeeded the same. However, the protocol is still commonly used on Windows servers. Perhaps because the protocol is now obsolete, Microsoft, instead of offering a patch for the RemotePotato0 flaw, has advised to disable NTLM or configure Windows servers to block NTLM relay attacks.
Microsoft’s decision is perhaps risky because RemotePotato0 can be exploited without needing the target's interaction. Hence, until Microsoft changes its mind, it is safe to create a 0patch account and then install the 0patch agent. The platform confirms their patches for RemotePotato0 are available for all Windows versions. This means OS versions from Windows 7 to the latest Windows 10 version, and from Windows Server 2008 to Windows Server 2019, are covered.