Windows Server

Windows “RemotePotato0” Zero-Day Gets Unofficial Patch following Microsoft Refusal

download (69)

Microsoft’s January 2022 Patch Tuesday has just passed, but one flaw has slipped through the net. A new zero-day vulnerability affecting all supported versions of Windows known as “RemotePotato0” did not get a fix. In fact, Microsoft is refusing to patch the issue. In response, third-parties have released multiple fixes for the issue.

SentinelOne researchers first discovered RemotePotato0 and informed Microsoft about the vulnerability back in April 2021. While Microsoft confirmed the flaw as a zero-day, the company has not released a fix. In fact, Microsoft has not even given the bug a CVE ID, almost like the company is completely ignoring it.

RemotePotato0 uses NTLM relays to attack Windows. Threat actors can exploit the vulnerability to start RPC/DCOM calls. Relaying NTLM authentication to their own protocols, an attacker could give themselves escalated privileges on a domain.

0patch has now released an unofficial patch for the bug. Co-founder Mitja Kolsek explains how the flaw works:

“It allows a logged-in low-privileged attacker to launch one of several special-purpose applications in the session of any other user who is also currently logged in to the same computer, and make that application send said user’s NTLM hash to an IP address chosen by the attacker. Intercepting an NTLM hash from a domain administrator, the attacker can craft their own request for the domain controller pretending to be that administrator and perform some administrative action such as adding themselves to the Domain Administrators group.”

Microsoft Refusal

Microsoft’s unwillingness to patch the vulnerabilitiy is a mystery, but it could be because NTLM (NT LAN Manager) is an authentication protocol for Windows that is now old. Microsoft has replaced the protocol with Kerberos some time ago.

Even so, NTLM is still widely used on Windows servers. Microsoft’s refusal does seem to be because NTLM is obsolete. In fact, the company says users should just configure their Windows servers to block NTLM relays.

It’s a strange choice because RemotePotato0 is dangerous because it does not require a user to interact to initiate an attack. Luckily, 0patch is on hand with the unofficial fix.

Tip of the day: Do you often experience PC freezes or crashs with Blue Screens of Death (BSOD)? Then you should use Windows Memory Diagnostic to test your computers RAM for any problems that might be caused from damaged memory modules. It is a tool built which can be launched at startup to run various memory checks.

Source Winbuzzer

Juliana Luwoye

The author Juliana Luwoye

Leave a Response