Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

Hackers Can Bypass Windows Lockscreen on Remote Desktop Sessions

The Network Level Authentication (NLA) feature of Windows Remote Desktop Services (RDS) can allow a hacker to bypass the lockscreen on remote sessions, and there is no patch from Microsoft, the CERT Coordination Center at Carnegie Mellon University warned on Tuesday.

The Network Level Authentication (NLA) feature of Windows Remote Desktop Services (RDS) can allow a hacker to bypass the lockscreen on remote sessions, and there is no patch from Microsoft, the CERT Coordination Center at Carnegie Mellon University warned on Tuesday.

NLA provides better protection for Remote Desktop (RD) sessions by requiring the user to authenticate to the RD Session Host server before a session is created. Microsoft recently recommended NLA as a workaround for a critical RDS vulnerability tracked as BlueKeep and CVE-2019-0708.

When a user connects to a remote system over RDS, they can lock the session similar to how sessions can be locked locally in Windows. If the session is locked, the user is presented with a lockscreen where they have to authenticate in order to continue using the session.

Joe Tammariello of the Software Engineering Institute at Carnegie Mellon University discovered a vulnerability that can be exploited to bypass the lockscreen on an RDS session. The flaw, tracked as CVE-2019-9510 and assigned a CVSS score of 4.6 (medium severity), affects versions of Windows starting with Windows 10 1803 and Server 2019.

“If a network anomaly triggers a temporary RDP disconnect, upon automatic reconnection the RDP session will be restored to an unlocked state, regardless of how the remote system was left,” CERT/CC explained in an advisory.

The organization has described the following attack scenario: the targeted user connects to a Windows 10 or Server 2019 system via RDS, they lock the remote session, and leave the client device unattended. At this point, an attacker who has access to the client device can interrupt its network connectivity, and they can then gain access to the remote system without needing any credentials.

“Two-factor authentication systems that integrate with the Windows login screen, such as Duo Security MFA, are also bypassed using this mechanism. Any login banners enforced by an organization will also be bypassed,” CERT/CC said.

Tammariello reported his findings to Microsoft, but the tech giant apparently does not plan on patching the vulnerability too soon.

Advertisement. Scroll to continue reading.

“After investigating this scenario, we have determined that this behavior does not meet the Microsoft Security Servicing Criteria for Windows,” Microsoft said, according to CERT/CC vulnerability analyst Will Dormann.

Users can protect themselves against potential attacks via two methods: locking the local system instead of the remote system, and disconnecting the RDS session instead of locking it.

Related: One Million Devices Vulnerable to BlueKeep as Hackers Scan for Targets

Related: Researcher Drops 3 Separate 0-Day Windows Exploits in 24 Hours

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Dan Pagel has been named the new CEO of risk management and remediation firm Brinqa.

The City of Phoenix has promoted Mitch Kohlbecker to the role of Chief Information Security Officer.

Gigamon has promoted Tony Jarjoura to CFO and Ram Bhide has been hired as Senior VP of engineering.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.