As part of its monthly Update Tuesday, Microsoft announced this week that they’ve released a preliminary fix for a vulnerability rated important, and present in all supported versions of Windows in circulation (basically any client or server version of Windows from 2008 onward).
The flaw affects the Credential Security Support Provider (CredSSP) protocol, which is used in all instances of Windows’ Remote Desktop Protocol (RDP) and Remote Management (WinRM).
The vulnerability, CVE-2018-0886, could allow remote code execution via a physical or wifi-based Man-in-the-Middle attack, where the attacker steals session data, including local user credentials, during the CredSSP authentication process.
Although Microsoft says the bug has not yet been exploited, it could cause serious damage if left unpatched.
RDP is widely used in enterprise environments and an attacker who successfully exploits this bug could use it to gain a foothold from which to pivot and escalate. It’s also popular with small businesses who outsource their IT administration and, needless to say, an attacker with an admin account has all the aces.
Security researchers at Preempt say they discovered and disclosed this vulnerability to Microsoft last August, and Microsoft has been working since then to create the patch released this week.
Now it’s out there, it’s a race against time to make sure you aren’t an easy target for an attacker who wants to try and kick the tires on this vulnerability.
Obviously, patch as soon as possible and please follow Microsoft’s guidance carefully:
Mitigation consists of installing the update on all eligible client and server operating systems and then using included Group Policy settings or registry-based equivalents to manage the setting options on the client and server computers. We recommend that administrators apply the policy and set it to “Force updated clients” or “Mitigated” on client and server computers as soon as possible. These changes will require a reboot of the affected systems.
Pay close attention to Group Policy or registry settings pairs that result in “Blocked” interactions between clients and servers in the compatibility table later in this article.
Both the “Force updated clients” and “Mitigated” settings prevent RDP clients from falling back to insecure versions of CredSSP. The “Force updated clients” setting will not allow services that use CredSSP to accept unpatched clients but “Mitigated” will.
Windows RDP as a tempting attack vector
If you’ve ever worked in an office and run into issues with your Windows-based computer, there’s a decent chance that your IT administrator helped you from afar using RDP.
It’s been around in some form or another since Windows XP and allows an administrator to control another person’s machine, usually so they can fix issues directly and quickly. (Given that many IT staff aren’t located in the same country as the people they are trying to help, RDP is certainly a lot faster than waiting for tech help to show up at your desk.)
RDP works directly via the user interface, allowing a remote user to interact with a target computer as if they were sat at the keyboard right in front of it.
And that’s what makes it such an appealing target for attackers.
With an RDP session, an attacker can run privilege escalation exploits and then attempt to disable protective measures, install hacking tools, attack other machines on the same network, shut down key systems like backups or SQL databases and, of course, run malware.
Attacks like this allow hackers to take their time, discover the lay of the land and even try out different types of ransomware until they find one that works.
For more information on RDP attacks, and how to harden yourself against them, read our recent article about how ransomware-spreading hackers sneak in through RDP.