The RemotePotato0 zero-day vulnerability, which affects all current versions of the Windows operating system and can be used by attackers to elevate system privileges, has been unofficially fixed. This isn’t the first unofficial patch to address the aforementioned issue, but a fix from Microsoft doesn’t seem to see the light of day.
According to the available data, the RemotePotato0 vulnerability was first discovered by cybersecurity experts Antonio Cocomazzi and Andrea Pierini. They notified Microsoft of their find in April 2021. Although the software giant has acknowledged the problem, the vulnerability has not been assigned a CVE ID and it appears that Microsoft has no plans to fix it.
“The vulnerability allows an attacker with low privileges authorized on the system to run one of several specialized applications in the session of another user who is also authorized on the system. Because of this, it can send the specified user’s NTLM hash to a device with any IP address. By intercepting a domain administrator’s NTLM hash, an attacker could make a request to the domain controller and impersonate an administrator in order to elevate privileges or perform other actions., — one of the participants of the 0patch project, Mitja Kolsek, commented on this topic.
The source notes that while the NTLM (Windows NT LAN Manager) protocol is deprecated, it is still used on Windows servers. Probably because the protocol is outdated, Microsoft does not plan to close the RemotePotato0 vulnerability. Instead, the software giant recommended not using NTLM or configuring servers in such a way that an attack via the RemotePotato0 vulnerability is ruled out.