As part of Patch Tuesday, Microsoft today released a patch for CVE-2018-0886, a remote code execution vulnerability in the company’s authentication processing Credential Security Support Provider (CredSSP) protocol, which is used by Remote Desktop Protocol (RDP) and Windows Remote Management (WinRM).
The flaw could allow an attacker to steal user credentials and execute code on a target system.
“Any application that depends on CredSSP for authentication may be vulnerable to this type of attack,” Microsoft warned.
To mitigate the threat, Microsoft is urging admins to enable Group Policy systems on their systems and update all Remote Desktop clients. “We recommend that administrators apply the policy and set it to ‘Force updated clients’ or ‘Mitigated’ on client and server computers as soon as possible,” the company advised. “These changes will require a reboot of the affected systems.”
The vulnerability also highlights the importance of patch management systems.
The vulnerability was first uncovered by Preempt Security researchers, who noted that it affects all versions of Windows.
“In terms of the vastness of this issue, we can note that RDP is the most popular application to perform remote logins,” Preempt lead security researcher Yaron Zinar wrote in a blog post. “To further highlight this, in Preempt internal research we found that almost all enterprise customers are using RDP, making them vulnerable to this issue.”
Zinar noted that blocking the relevant application ports/service (RDP, DCE/RPC) would block the attack. “It is recommended to apply the proper network segmentation policy and block unnecessary ports/services,” he wrote.
Similarly, the attack relies on privileged users using their credentials to perform IT operations. “In order to better protect your network, you should reduce privileged account usage as much as possible and use non-privileged accounts whenever applicable,” Zinar added.
The researchers plan to demonstrate the attack next week at Black Hat Asia 2018.
Nathan Wenzler, chief security strategist at AsTech, told eSecurity Planet by email that vulnerabilities like these serve as yet another example of how dangerous it can be to rely on security or admin tools without locking them down with hardened configurations.
“Of course, Microsoft has an obligation to ensure the vulnerability is fixed, which they’re doing, but it’s imperative that admins and security practitioners are doing more to reduce the amount of privileged access their administrators possess, that tools such as RDP are disabled if they’re not being used, and doing whatever else they can to limit the amount of administrator-level exposure that an attacker might be able to compromise anywhere along the chain and then use to wreak havoc on the rest of the network,” Wenzler said.
Still, Vectra head of security analytics Chris Morales noted that several variables have to be right for this attack to succeed. “Most importantly, the attacker needs to already be on the network and in a position between the clients and servers,” he said. “If an attacker is already that deep in the network, there are many other things they could do scope out a network, find authentication accounts and compromise a server.”
As a result, Morales suggested, this threat might be best classified as an internal reconnaissance activity, one of many that an attacker might use. “As long as a company is properly monitoring their internal environment for attacker behaviors, and can correlate this type of behavior with other attacker behaviors, they should have sufficient visibility to detect and respond to this type of reconnaissance behavior,” he said.