Windows RDP flaw: 'Install Microsoft's patch, turn on your firewall'

Attackers can use a protocol bug in Windows RDP to steal session authentication and take over a network domain.
Written by Liam Tung, Contributing Writer

Microsoft's Patch Tuesday updates for March deliver fixes for 75 security bugs, including patches for 15 critical flaws and a serious vulnerability that exposes sysadmins to credential theft.

In addition to new updates to mitigate Meltdown and Spectre, Microsoft has released fixes for 15 critical flaws affecting the scripting engine in Internet Explorer 11 and its JavaScript engine ChakraCore in Microsoft Edge. There are also 61 important fixes for Windows, Office, and ASP.NET Core.

An important-rated bug that's caught the attention of several security firms is CVE-2018-0886, a remote code execution flaw that affects CredSSP (the Credential Security Support Provider protocol).

CredSSP is used in Microsoft's widely used Remote Desktop Protocol (RDP) and Windows Remote Management (WinRM) to relay user credentials from a client to an application's server.

Microsoft says: "CredSSP is an authentication provider which processes authentication requests for other applications; any application which depends on CredSSP for authentication may be vulnerable to this type of attack."

It's rated as important as it can only be exploited in tandem with a man-in-the-middle attack. However, in that position, the attacker could steal session authentication from a user with local administrative privileges and then run unauthorized commands on a target server with the same privileges.

Preempt, the security firm that reported it, has a write-up of several issues behind the bug in a more detailed technical report.

According to Preempt, this bug isn't an attacker's entry point, but rather a technique for lateral movement and privilege escalation after they've either gained physical access to the target's Wi-Fi network, or once they've exploited a remote code execution in a firm's routers, such as Cisco's severe ASA VPN bug which was patched through January and February.

"The attacker will set up the man-in-the-middle, wait for a CredSSP session to occur, and once it does, will steal session authentication and perform a Remote Procedure Call (DCE/RPC) attack on the server that the user originally connected to (eg, the server user connected with RDP)," explains Preempt researcher Yaron Zinar.

See also: IT leader's guide to cyberattack recovery

"An attacker [who has] stolen a session from a user with sufficient privileges could run different commands with local admin privileges. This is especially critical in the case of domain controllers, where most Remote Procedure Calls (DCE/RPC) are enabled by default."

If the attacker exploits a vulnerable router, they could infect a router near the server and wait for an IT admin to log in to the server using RDP.

The attacker may also exploit the recent KRACK Wi-Fi key reinstallation vulnerabilities to use this attack against any machine with RDP enabled over Wi-Fi.

Zinar's colleague Eyal Karni notes customers can mitigate the flaw by ensuring the Windows firewall is on, because RPC is not enabled by default for any interface.

However, domain admins are particularly vulnerable to this attack until Microsoft's patch has been installed.

Now read: How to build a successful career in cybersecurity (free PDF)

"This is because a rule concerning RPC exists in Domain Controllers that enables any svchosts.exe DCOM interfaces. Furthermore, a quick survey found that RDP is the most common way in which domain admins tends to access the DC. In other words, by exploiting this attack, an attacker is likely to gain full control over the domain," writes Karni.

Microsoft was informed of the issue in August, but needed an extension well beyond the agreed 90-day disclosure timeframe to deliver a fix, according to Preempt's timeline.

Microsoft has a fix available for every supported version of Windows and Windows Server, but admins will also need to make configuration changes to fully remediate the bug. Microsoft has provided group policy instructions.


As well as fixes for 15 critical flaws affecting the scripting engine in Internet Explorer 11 and its JavaScript engine ChakraCore in Microsoft Edge, Microsoft has issued 61 important fixes for Windows, Office, and ASP.NET Core.

Image: Getty Images

Previous and related coverage

Windows 10 warning: Beware staff planting cryptominers on work systems, says Microsoft

Microsoft now sees over 600,000 PCs exposed to coin-mining malware each month.

Windows 10 'Redstone 4' test build adds some Windows Defender security tweaks

Microsoft is continuing to polish its coming Windows 10 release with Fast Ring Insider Build 17120 as it heads toward the finish line.

Spy malware secrets: How complex 'Slingshot' hit targets via hacked routers

Slingshot malware infects PCs via files downloaded from compromised routers.

Windows 10: Microsoft lifts block on security updates after sorting out AV clash(TechRepublic)

The removal of the AV compatibility checks will mean that patches to mitigate the risk from Spectre and Meltdown attacks released since January will now be available to a wider range of PCs.

How to create and use app passwords for your Microsoft account (CNET)

Because not all Microsoft services support security codes for two-step verification.

Editorial standards