While Microsoft is preparing the patch for PetitPotam vulnerability, 0patch has developed a micro patch to secure systems until then.
The patch was available for Windows server v2008 R2, 2012 R2, 2016, and 2019 versions. The PetitPotam flaw, if exploited, will let hackers takeover windows domains and injection malware, and perform malicious activities.
Unofficial Patch For PetitPotam Flaw
Many of Microsoft’s Windows servers are now vulnerable to a new system flaw – PetitPotam – as discovered by security researcher Gilles Lionel (aka Topotam) last week.
He detailed that threat actors can exploit this by force authenticating the targets’ Windows machines against their malicious NTLM relay servers through the Microsoft Encrypting File System Remote Protocol (EFSRPC) and take over the systems ultimately.
MS-RPRN to coerce machine authentication is great but the service is often disabled nowadays by admins on most orgz.
Here is one another way we use to elicit machine account auth via MS-EFSRPC. Enjoy!! 🙂https://t.co/AGiS4f6yt8
— topotam (@topotam77) July 18, 2021
This flaw was discovered last month, and soon Microsoft released a security advisory directing how to prevent NTLM relay attacks from happening, which target the Active Directory Certificate Services (AD CS). The advisory said vulnerable servers are those which are improperly configured.
While the advisory helps in thwarting NTLM Relay attacks, it didn’t specifically mention how to block the PetitPotam attacks from happening. This leaves most server systems prone to this attacking vector, as attackers are always active in hitting such open disclosures.
While Microsoft is hopefully preparing a patch for this, this could take time. Thus, here’s an unofficial patch released by 0patch micropatch service, for
- Windows Server 2019 (updated with July 2021 Updates)
- Windows Server 2016 (updated with July 2021 Updates)
- Windows Server 2012 R2 (updated with July 2021 Updates), and
- Windows Server 2008 R2 (updated with January 2020 Updates, no Extended Security Updates)
There’s no micropatch issued for Windows Server 2012 (non R2), Windows Server 2008 (non R2), and Windows Server 2003 since these aren’t exposed to PetitPotam attacks, as per 0patch analysis.
So, to secure your system from this domain takeover flaw, create an account in the 0patch service and download the concerned patch immediately. This will run until Microsoft releases an official replacement.