Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Microsoft Patches Remote Code Execution Flaw in CredSSP

A vulnerability (CVE-2018-0886) patched by Microsoft with its

A vulnerability (CVE-2018-0886) patched by Microsoft with its March 2018 security patches was a remote code execution flaw in the Credential Security Support Provider protocol (CredSSP) used by Remote Desktop Protocol (RDP) and Windows Remote Management (WinRM).

This vulnerability can be exploited by an attacker to relay user credentials to execute code on a target system. The authentication provider, Microsoft explains, processes authentication requests for other applications, meaning that the vulnerability puts all applications that depend on CredSSP at risk.

Preempt, which discovered the bug, explains that this is a logical vulnerability that affects all Windows versions to date. With almost all enterprise customers using RDP, exploitation of this vulnerability could have a vast impact, the researchers say.

Cybercriminals can set up a man-in-the-middle attack, wait for a CredSSP session, and then steal session authentication to perform a Remote Procedure Call (DCE/RPC) attack on the server the user attempted to connect to.

Chris Morales, head of security analytics at Vectra, pointed out to SecurityWeek in an emailed comment that this type of activity could rather be considered a form of internal reconnaissance that any company properly monitoring their internal environment should be able to detect.

“In the big picture, there are a lot of variables that have to be right in a targeted environment for this attack to succeed. Most importantly, the attacker needs to already be on the network and in a position between the clients and servers. If an attacker is already that deep in the network, there are many other things they could do scope out a network, find authentication accounts and compromise a server,” Morales said.

Once they managed to steal the session, the attacker can run commands to install programs, read / modify / delete data, or create new accounts with full user rights.

< span>Scenarios in which the vulnerability can be exploited include those where the attacker has some physical access to the targeted network, those where Address Resolution Protocol (ARP) poisoning is used for lateral movement, or those where the attacker is targeting sensitive servers via vulnerable routers or switches, Preempt says. The company also published a video detailing the vulnerability.

Advertisement. Scroll to continue reading.

“To be fully protected against this vulnerability users must enable Group Policy settings on their systems and update their Remote Desktop clients. The Group Policy settings are disabled by default to prevent connectivity problems,” Microsoft explains.

The vulnerability impacts Windows 7, Windows 8.1, and Windows 10 systems, as well as Windows Server 2008, Windows Server 2012, and Windows Server 2016.

To address the issue, Microsoft released an update to correct the manner in which CredSSP validates requests during the authentication process. The update patches the CredSSP authentication protocol and the Remote Desktop clients for all affected platforms.

“Mitigation consists of installing the update on all eligible client and server operating systems and then using included Group Policy settings or registry-based equivalents to manage the setting options on the client and server computers. We recommend that administrators apply the policy and set it to “Force updated clients” or “Mitigated” on client and server computers as soon as possible,” Microsoft says.

The software giant also explains that this patch is only the first update it is releasing to address the issue. An update planned for next month should “enhance the error message that is presented when an updated client fails to connect to a server that has not been updated,” while another planned for May should “change the default setting from Vulnerable to Mitigated.”

The company also urges admins to check a compatibility table it published on Tuesday and pay close attention to Group Policy or registry settings pairs that result in “Blocked” interactions between clients and servers.

“Vulnerabilities, like this CredSSP issue that Microsoft is fixing today, become yet another example of how dangerous it can be to rely on security or administration tools without locking them down with hardened configurations. RDP is a widely used tool, but, as this exploit shows, a Man-in-the-Middle attack makes the use of this tool especially dangerous if the user is logging in with an administrator credential of any sort,” Nathan Wenzler, chief security strategist at AsTech, told SecurityWeek in an emailed comment.

“It’s imperative that admins and security practitioners are doing more to reduce the amount of privileged access their administrators possess, that tools such as RDP are disabled if they’re not being used, and doing whatever else they can to limit the amount of administrator-level exposure that an attacker might be able to compromise anywhere along the chain and then use to wreak havoc on the rest of the network,” Wenzler concluded.

Related: Microsoft Patches Over Dozen Critical Browser Flaws

Related: RDP Tops Email for Ransomware Distribution: Report

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how the LOtL threat landscape has evolved, why traditional endpoint hardening methods fall short, and how adaptive, user-aware approaches can reduce risk.

Watch Now

Join the summit to explore critical threats to public cloud infrastructure, APIs, and identity systems through discussions, case studies, and insights into emerging technologies like AI and LLMs.

Register

People on the Move

Jason Hogg has been named Executive Chairman of CYPFER.

HUB Cyber Security has appointed former PayPal and American Express executive Paul Parisi as its Global Chief Revenue Officer.

Cloud security startup Upwind has appointed Rinki Sethi as Chief Security Officer.

More People On The Move

Expert Insights