Preempt Researchers Find Critical Vulnerability that Exploits Authentication in Microsoft Remote Desktop Protocol (MS-RDP)

CredSSP flaw allows attackers to exploit Remote Desktop and Windows Remote Management, Affecting All Windows Versions To-Date

SAN FRANCISCO – March 13, 2018 Preempt, a leader in adaptive threat prevention that helps enterprises eliminate insider threats and security breaches, today announced its research team found a critical Microsoft vulnerability that consists of a logical flaw in Credential Security Support Provider protocol (CredSSP), which is used by Remote Desktop and WinRM in the authentication process. CredSSP is responsible for taking care of securely forwarding credentials to the target server. Researchers found that an attacker with man-in-the-middle control over the session can abuse it to achieve the ability to remotely run code on the compromised server on behalf of a user.

With remote desktops being the most popular application to perform remote logins, this vulnerability poses extreme concern. This could leave enterprises vulnerable to a variety of threats from attackers including lateral movement and infection on critical servers or domain controllers. The vulnerability affects all Windows versions to date (starting with Windows Vista).

“This vulnerability is a big deal, and while no attacks have been detected in the wild, there are a few real-world situations where attacks can occur,” said Roman Blachman, CTO and co-founder at Preempt. “Ensuring that your workstations are patched is the logical, first step to preventing this threat. It’s important for organizations to use real-time threat response solutions to mitigate these types of threats.”

With this vulnerability, organizations are susceptible to having an attack mounted with simple Wi-Fi or physical access. If an attacker has access, they can launch a man-in-the-middle attack. Other ways like Address Resolution Protocol (ARP) poisoning and attacking sensitive servers through vulnerable routers and switches will also enable the attack.

Organizations can protect themselves from this vulnerability in a few ways:

  • Preempt customers have been protected from this flaw by providing in-depth defense with both alerting and real-time prevention when vulnerabilities, such as CredSSP flaw, are exploited in the network.
  • Make sure that workstations and servers are properly patched. This is a basic requirement. However, it is important to note that patching alone is not enough as IT professionals will also need to make a configuration change to apply the patch and be protected.
  • As with many previous exploits, blocking the relevant application ports (RDP, DCE/RPC) would also thwart attack. However, that this attack could be implemented in different ways, even using different protocols.
  • Reduce privileged account usage as much as possible and use non-privileged accounts whenever applicable
  • For more details on how organizations can protect themselves, read this blog: Security Advisory: Critical Vulnerability in CredSSP Allows Remote Code Execution on Servers (CVE-2018-0886)

As of March 13, 2018, Microsoft has issued a CVE-2018-0886 patch per Preempt’s responsible disclosure of the CredSSP vulnerability.  More information can be found on the Microsoft site.

Additional Resources