Researchers have identified a significant vulnerability in the Credential Security Support Provider protocol (CredSSP), impacting all current versions of Windows. This flaw could empower remote attackers to exploit both Remote Desktop Protocol (RDP) and Windows Remote Management (WinRM) to gain unauthorized access to sensitive data and execute malicious code on targeted systems.
The CredSSP protocol serves as a crucial mechanism for securely transmitting credentials encrypted from Windows clients to designated servers for remote authentication. The vulnerability, labeled CVE-2018-0886 and uncovered by experts at Preempt Security, stems from a logical cryptographic weakness. This flaw can be efficiently leveraged by a man-in-the-middle attacker, particularly those with Wi-Fi or physical access to the network, to exfiltrate session authentication details and initiate Remote Procedure Call attacks.
When a secure RDP or WinRM connection is established between a client and a server, an attacker positioned in the middle can execute commands remotely, jeopardizing enterprise networks. Yaron Zinar, Preempt’s lead security researcher, emphasized the criticality of this vulnerability, noting that an attacker who compromises a session held by a privileged user could execute commands with local administrative rights. This risk is particularly acute for domain controllers, as default configurations enable most Remote Procedure Calls (DCE/RPC).
The widespread reliance on RDP for remote access among enterprises amplifies the potential impact of this issue, rendering numerous corporate networks vulnerable to exploitation. Although Preempt reported the vulnerability to Microsoft in August of the previous year, a timely resolution was only issued recently, coinciding with the Patch Tuesday updates—approximately seven months post-discovery.
To mitigate the risk posed by the CredSSP vulnerability, organizations are strongly advised to promptly apply patches to their workstations and servers, utilizing the updates provided by Microsoft. However, experts caution that patching alone is insufficient. IT professionals should also implement configuration changes to fully restore protections.
In addition to applying patches, network defenses can be strengthened by blocking application ports relevant to RDP and DCE/RPC protocols. However, the adaptability of the attack vectors means that alternative exploitation methods exist, potentially using different protocols altogether.
To enhance network security, it is wise to limit the use of privileged accounts, opting for non-privileged accounts wherever feasible. This practice can help reduce the attack surface and diminish the potential for unauthorized access.
As part of its March 2018 Patch Tuesday updates, Microsoft also released security patches addressing vulnerabilities in other products, including Internet Explorer, Microsoft Edge, Windows OS, Microsoft Office, PowerShell, and Adobe Flash Player. The ongoing vigilance and proactive measures in cybersecurity remain imperative for business owners seeking to safeguard their organizations against evolving threats.