Threat Update
A new privilege escalation vulnerability has been discovered inside of the Windows RPC protocol. This vulnerability, known as RemotePotato0, is a NTLM relay attack which could allow attackers to escalate their privileges from a normal User all the way up to a Domain admin. Microsoft has announced that they will not be providing a fix for this vulnerability, stating that “servers must defend themselves” against NTLM relay attacks. There are hardening methods which could help lessen the likelihood of these attacks, and SKOUT recommends that these hardening measures are taken.
Technical Detail & Additional Information
WHAT IS THE THREAT?
A NTLM relay attack vulnerability exists inside of the Windows RPC protocol. This vulnerability makes it possible to trigger authenticated RPC/DCOM calls and relay the NTLM authentication to other protocols. This means that attackers can use authentication obtained used RPB/DCOM, and relay it to other resources such as HTTP, SMB, LDAP, and others, in order to escalate privileges within a network.
WHY IS IT NOTEWORTHY?
This vulnerability posts significant threats to an enormous scope of users. Every Windows system is vulnerable, and with Microsoft not currently planning to take action, Windows systems will remain vulnerable unless they take action on their own. Windows machines are used and trusted by millions of companies worldwide. Attackers with knowledge of these vulnerabilities could do some serious damage, as they have many different companies to potentially target. Any company who uses Windows machines in their business should be looking to implement the hardening techniques that have been released to help prevent the exploitation of this vulnerability.
WHAT IS THE EXPOSURE OR RISK?
If a device is exploited, attackers could have the ability to do all sorts of damage. This vulnerability could allow attackers to bypass security measures that keep devices safe. They could allow attackers to escalate their privileges and become a man-in-the-middle (MITM) on a network. This could allow attackers to alter accounts, access files and emails, which could contain sensitive personal and company information that may be stored on the affected devices. They could also allow for attackers to gain admin privileges within the network of an organization. This is something that would be extremely dangerous, as it could lead to data compromise, and the potential for services becoming unavailable. The risk for customers using Windows machines that have not been hardened is significant, and they should look to update to patched versions as soon as possible.
WHAT ARE THE RECOMMENDATIONS?
At this time, there are no plans from Microsoft to release a patch to this vulnerability. This means that hardening is the only options for users to prevent this vulnerability from being exploited.
HTTP/HTTPS – removed all non-TLS protected HTTP bindings and configure Channel Binding Tokens validation by setting the tokenChecking attribute to “allow” or “require”.
LDAP – set the domain controller LDAP server signing requirements group policy to require signature for non-LDAPS LDAP connections.
- https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-signing-requirements#best-practices
- https://support.microsoft.com/en-us/topic/2020-ldap-channel-binding-and-ldap-signing-requirements-for-windows-ef185fb8-00f7-167d-744c-f299a66fc00a
SMB – Configure SMB signing by setting the Group Policy Digitally sign server communication to always.
References:
Hardening instructions:
If you have any questions, please contact our Security Operations Center.