Researchers have found an unexpected behavior in a Windows feature designed to protect remote sessions that could allow attackers to take control of them.
The issue, discovered by Joe Tammariello at the CERT Coordination Center (CERT) at Carnegie Mellon’s Software Engineering Institute, is documented as CVE-2019-9510. It stems from Network Level Authentication (NLA), which is a feature that you can use to protect Windows installations that have the Remote Desktop Protocol (RDP) enabled. NLA stops anyone from remotely logging into the Windows computer by requiring them to authenticate first.
Starting with Windows 10 release 1903 in April 2019, and with Windows Server 2019, Microsoft changed the way NLA works. Now, the authentication mechanism caches the client’s login credentials on the RDP host so that it can quickly log the client in again if it loses connectivity. The change enables an attacker to circumvent a Windows lock screen, warns CERT/CC, which disclosed the issue, in an advisory.
Let’s say you remotely log in to a Windows box using RDP. Then, you lock that remote desktop to stop an attacker from accessing it from your machine while you leave the room.
The attacker could interrupt the network connection between the local machine and the remote Windows box and then reestablish it, by unplugging the network cable and plugging it in again (or disabling and re-enabling Wi-Fi).
That’s where the unexpected behavior kicks in, according to the advisory:
Because of this vulnerability, the reconnected RDP session is restored to a logged-in desktop rather than the login screen. This means that the remote system unlocks without requiring any credentials to be manually entered.
The behavior also bypasses multi-factor authentication (MFA) systems that integrate with the Windows login screen, explains the advisory. Duo Security admits that its MFA products are affected, adding that the issue isn’t its fault:
By forcing the use of cached credentials, Microsoft has broken functionality used by credential providers to add resilience to this workflow.
However, rival MFA firm Silverfort says that it isn’t affected because it doesn’t rely on the Windows lock screen:
Due to the way our products [sic] operates, we are not affected by this vulnerability. We use a unique technology which allows us to enforce MFA on top of the authentication protocol itself (e.g. Kerberos, NTLM, LDAP) without relying on Windows login screen.
Microsoft also responded to the issue, explaining that it’s a feature, not a bug. It told CERT:
After investigating this scenario, we have determined that this behavior does not meet the Microsoft Security Servicing Criteria for Windows. What you are observing is Windows Server 2019 honoring Network Level Authentication (NLA). Network Level Authentication requires user creds to allow connection to proceed in the earliest phase of connection. Those same creds are used logging the user into a session (or reconnecting). As long as it is connected, the client will cache the credentials used for connecting and reuse them when it needs to auto-reconnect (so it can bypass NLA).
Unconvinced, Tammariello’s colleague Will Dormann still thinks you should work around it:
Courtesy of our own Joe Tammariello,— Will Dormann (@wdormann) June 4, 2019
When connected via RDP, modern Windows session locking does NOT require authentication to unlock. Microsoft doesn't plan to change this behavior, so do not use the "Lock" feature over RDP. Log out when done or away! https://t.co/HTAmN8vrkw pic.twitter.com/fevq4LvA3V
Given that Microsoft isn’t fixing this any time soon, you should use the local machine’s lock screen rather than relying on the remote box’s lock, says the CERT advisory. You can also disconnect RDP sessions when you go and visit the loo. Yes, it’s annoying, we know.
Responding to a user complaint, a Microsoft Technet moderator also said it was possible to disable automatic reconnection on the RDP host via group policy, and provided instructions.
If the phrase ‘Network Level Authentication’ rings a bell, it’s because Microsoft has recommended this as a protection measure against exploitation of CVE-2019-07-08, nicknamed BlueKeep, the serious exploit affecting pre-Windows 8 systems, which the NSA, amongst many others, is now begging people to patch.
This issue doesn’t mean that you shouldn’t use NLA to protect your pre-Windows 10 boxes. For one thing, this unexpected behavior only exists on Windows 10 and Windows Server 2019. BlueKeep doesn’t affect these editions of the Windows OS.