Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Microsoft Patches Remote Code Execution Flaw in CredSSP

A vulnerability (CVE-2018-0886) patched by Microsoft with its

A vulnerability (CVE-2018-0886) patched by Microsoft with its March 2018 security patches was a remote code execution flaw in the Credential Security Support Provider protocol (CredSSP) used by Remote Desktop Protocol (RDP) and Windows Remote Management (WinRM).

This vulnerability can be exploited by an attacker to relay user credentials to execute code on a target system. The authentication provider, Microsoft explains, processes authentication requests for other applications, meaning that the vulnerability puts all applications that depend on CredSSP at risk.

Preempt, which discovered the bug, explains that this is a logical vulnerability that affects all Windows versions to date. With almost all enterprise customers using RDP, exploitation of this vulnerability could have a vast impact, the researchers say.

Cybercriminals can set up a man-in-the-middle attack, wait for a CredSSP session, and then steal session authentication to perform a Remote Procedure Call (DCE/RPC) attack on the server the user attempted to connect to.

Chris Morales, head of security analytics at Vectra, pointed out to SecurityWeek in an emailed comment that this type of activity could rather be considered a form of internal reconnaissance that any company properly monitoring their internal environment should be able to detect.

“In the big picture, there are a lot of variables that have to be right in a targeted environment for this attack to succeed. Most importantly, the attacker needs to already be on the network and in a position between the clients and servers. If an attacker is already that deep in the network, there are many other things they could do scope out a network, find authentication accounts and compromise a server,” Morales said.

Once they managed to steal the session, the attacker can run commands to install programs, read / modify / delete data, or create new accounts with full user rights.

< span>Scenarios in which the vulnerability can be exploited include those where the attacker has some physical access to the targeted network, those where Address Resolution Protocol (ARP) poisoning is used for lateral movement, or those where the attacker is targeting sensitive servers via vulnerable routers or switches, Preempt says. The company also published a video detailing the vulnerability.

Advertisement. Scroll to continue reading.

“To be fully protected against this vulnerability users must enable Group Policy settings on their systems and update their Remote Desktop clients. The Group Policy settings are disabled by default to prevent connectivity problems,” Microsoft explains.

The vulnerability impacts Windows 7, Windows 8.1, and Windows 10 systems, as well as Windows Server 2008, Windows Server 2012, and Windows Server 2016.

To address the issue, Microsoft released an update to correct the manner in which CredSSP validates requests during the authentication process. The update patches the CredSSP authentication protocol and the Remote Desktop clients for all affected platforms.

“Mitigation consists of installing the update on all eligible client and server operating systems and then using included Group Policy settings or registry-based equivalents to manage the setting options on the client and server computers. We recommend that administrators apply the policy and set it to “Force updated clients” or “Mitigated” on client and server computers as soon as possible,” Microsoft says.

The software giant also explains that this patch is only the first update it is releasing to address the issue. An update planned for next month should “enhance the error message that is presented when an updated client fails to connect to a server that has not been updated,” while another planned for May should “change the default setting from Vulnerable to Mitigated.”

The company also urges admins to check a compatibility table it published on Tuesday and pay close attention to Group Policy or registry settings pairs that result in “Blocked” interactions between clients and servers.

“Vulnerabilities, like this CredSSP issue that Microsoft is fixing today, become yet another example of how dangerous it can be to rely on security or administration tools without locking them down with hardened configurations. RDP is a widely used tool, but, as this exploit shows, a Man-in-the-Middle attack makes the use of this tool especially dangerous if the user is logging in with an administrator credential of any sort,” Nathan Wenzler, chief security strategist at AsTech, told SecurityWeek in an emailed comment.

“It’s imperative that admins and security practitioners are doing more to reduce the amount of privileged access their administrators possess, that tools such as RDP are disabled if they’re not being used, and doing whatever else they can to limit the amount of administrator-level exposure that an attacker might be able to compromise anywhere along the chain and then use to wreak havoc on the rest of the network,” Wenzler concluded.

Related: Microsoft Patches Over Dozen Critical Browser Flaws

Related: RDP Tops Email for Ransomware Distribution: Report

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Gigamon has promoted Tony Jarjoura to CFO and Ram Bhide has been hired as Senior VP of engineering.

Cloud security firm Mitiga has appointed Charlie Thomas as Chief Executive Officer.

Cynet announced the appointment of Jason Magee as Chief Executive Officer.

More People On The Move

Expert Insights