Last month, French researcher Gilles Lionel discovered a vulnerability in various versions of Windows Server, which he named PetitPotam, and now there is an unofficial patch for it.
The problem can be used to force remote Windows servers to authenticate an attacker and share NTLM authentication data or authentication certificates. Thus, after taking over a domain controller, attackers can use group policies, for example, to deploy malware to all available endpoints.Next, Microsoft representatives advised to disable NTLM where it is not needed (for example, in domain controllers), and also enable the Extended Protection for Authentication mechanism.
However, Lionel wrote that PetitPotam is abusing the EfsRpcOpenFileRaw feature in MS-EFSRPC, and the Microsoft guidelines describe actions to prevent NTLM relay attacks, but does not address abuse of the MS-EFSRPC API in general (and EFSRPC is not even mentioned). The fact is that PetitPotam allows other attacks, for example, downgrading to NTLMv1 using the Data Encryption Standard (DES) – an insecure algorithm that makes it easy to recover passwords from hashes.
Now the experts at 0patch have prepared temporary patches (or micro-patches) for this problem. Let me remind you that 0patch is a platform designed just for such situations, that is, fixing 0-day and other unpatched vulnerabilities, to support products that are no longer supported by manufacturers, custom software, and so on.
The unofficial patch can be used to protect against PetitPotam NTLM relay attacks on the following Windows versions:
- Windows Server 2019 (with updates for July 2021);
- Windows Server 2016 (with updates for July 2021);
- Windows Server 2012 R2 (July 2021 updates);
- Windows Server 2008 R2 (with January 2020 updates, no extended security updates).
For Windows Server 2012 (not R2), Windows Server 2008 (not R2) and Windows Server 2003, the micropatch is not available because, according to the analysis of 0patch, PetitPotam is not dangerous for these OS versions.
Let me remind you that we wrote that Vulnerabilities in NTLM Could Allow Domain Compromise.