20,223 questions
This is also addressed in Microsoft article KB5005413 which has mitigations as well.
RemotePotato0: Privilege Escalation Vulnerability in Windows RPC Protocol
Duncan
56
Reputation points
I have found this interesting article: https://borncity.com/win/2021/07/27/remotepotato0-privilege-escalation-schwachstelle-im-windows-rpc-protocol/
This article refers to: https://labs.sentinelone.com/relaying-potatoes-dce-rpc-ntlm-relay-eop/
The latter states that this so-called 'remotepotato0-privilege-escalation' has been reported to Microsoft: 11/30/2020 – Submitted vulnerability to MSRC case 62293
and lists a statement from MS: 4/13/2021 – Microsoft informed us that, after an extensive review, they determined that “Servers must defend themselves against NTLM relay attacks” (side note: setting the sign flag in NTLM provider as well as SPNEGO would have inhibited this exploit…)
Is there any CVE out there, which handles this case? Is there any OFFICIAL statement from Microsoft? Does anyone have more information on detailed mitigation for this exploit?
Windows for business | Windows Server | User experience | Other
{count} votes
-
Andy YOU 3,076 Reputation points2021-07-28T15:07:23.48+00:00 HI
"Is there any CVE out there, which handles this case? Is there any OFFICIAL statement from Microsoft?"
When I filter "Elevation of Privilege Vulnerability" in below link, I still can't find this Vulnerability information. If I find any related document, I will post it ASAP. Thanks for your waiting.Security Update Guide
https://msrc.microsoft.com/update-guide/vulnerability
Sign in to comment
1 answer
Sort by: Most helpful
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(70.4, 47%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EB%3C/text%3E%3C/svg%3E)
Buckleau 26 Reputation points2021-09-13T22:53:31.817+00:00 -
Duncan 56 Reputation points
2021-09-14T07:56:16.35+00:00 No, that's a different kind of attack. Has nothing to do with Cert.-Services...
Sign in to comment -