Following the discovery of the Windows PetitPotam vulnerability last month, an unofficial free patch from 0patch has now surfaced to block attackers from taking advantage of the NTLM relay attack vulnerability.
The attack vector forces Windows machines to authenticate malicious NTLM relay servers using the EFSRPC, otherwise called the Microsoft Encrypting File System Remote Protocol. The bug was discovered in July by security researcher Gilles Lionel.
This allows attackers to completely take over Windows domains, push new group policies, and deploy malware, including but not limited to ransomware on all domain endpoints.
What’s Microsoft doing?
Following the discovery, Microsoft put out a security advisory stating how to avoid such attacks from targetting the Active Directory Certificate Services. The advisory also implied that they do not consider this a vulnerability but rather a misconfiguration.
While the advisory does help in mitigating the attack, there’s no official patch from Microsoft so far that can completely block the attack vector, which can also be used for other attacks, including NTLMv1 downgrades.
The free patch from the 0patch micro patching service was released on Friday and can block NTLM PetitPotam relay attacks on the following Windows versions.
- Windows Server 2019 (inclduing the July 2021 update)
- Windows Server 2016 (inclduing the July 2021 update)
- Windows Server 2012 R2 (inclduing the July 2021 update)
- Windows Server 2008 R2 (inclduing the January 2020 update)
Windows Server 2012 (non R2), Server 2008 (non R2) and Server 2003 haven’t received any patches. 0patch’s analysis indicates that the vulnerability doesn’t impact the releases.
To install the patch, users need to create an opatch account and install the opatch agent, which will, in turn, install the patch on the system. If you’re a server admin who can’t immediately deploy the patch or are sceptical about it, you can also block these attacks using NETSH RPC filters that block remote access to the MS-EFSRPC API and bypass the attack vector. There are several other mitigations included in Microsoft’s advisory as well.