Windows PetitPotam vulnerability gets an unofficial free patch

A free unofficial patch is now available to block attackers from taking over domain controllers and compromising entire Windows domains via PetitPotam NTLM relay attacks.

The PetitPotam attack vector that forces Windows machines to authenticate against threat actors’ malicious NTLM relay servers using the Microsoft Encrypting File System Remote Protocol (EFSRPC) was disclosed last month by security researcher Gilles Lionel (aka Topotam).

Using this attack method, threat actors can completely take over Windows domains, allowing them to push new group policies and deploying malware (including ransomware) on all endpoints.

In July, Microsoft released a security advisory explaining how to mitigate NTLM relay attacks targeting Active Directory Certificate Services (AD CS) and saying that vulnerable servers are not correctly configured.

While Microsoft’s advisory is designed to help prevent NTLM relay attacks, it does not provide any guidance on how to actually block PetitPotam, which could also be used as a vector for other attacks such as NTLMv1 downgrades.

Free PetitPotam micropatch available

The 0patch micropatching service has released today a free unofficial patch that can be used to block PetitPotam NTLM relay attacks on the following Windows version:

• Windows Server 2019 (updated with July 2021 Updates)
• Windows Server 2016 (updated with July 2021 Updates)
• Windows Server 2012 R2 (updated with July 2021 Updates)
• Windows Server 2008 R2 (updated with January 2020 Updates, no Extended Security Updates) 

No micropatch was issued for Windows Server 2012 (non R2), Windows Server 2008 (non R2), and Windows Server 2003 because, based on 0patch’s analysis, these releases are not impacted by PetitPotam.

To install the micropatch on your system, you first need to register a 0patch account and then install the 0patch agent. 

“Micropatches for this vulnerability are, as always, automatically downloaded and applied to all affected computers (unless your policy prevents that), and will be free until Microsoft has issued an official fix,” 0patch co-founder Mitja Kolsek said.

If you can’t immediately deploy one of these temporary patches, you can also defend against PetitPotam attacks using NETSH RPC filters that block remote access to the MS-EFSRPC API, effectively removing the unauthenticated PetitPotam attack vector.