X-Industry

CredSSP Flaw in Remote Desktop Protocol

Posted by Aureanna Hakenson on March 16, 2018 at 2:05pm

TACTICAL CYBER INTELLIGENCE REPORT

Actor Type: II
Serial: TR-18-075-001
Countries: IN, CN
Report Date: 20180316

CredSSP Flaw in Remote Desktop Protocol

A critical vulnerability has been discovered in the Credential Security Support Provider protocol (CredSSP) that has affected all versions of Windows. CredSSP could allow remote attackers to exploit RDP and WinRM to steal data and run malicious code to take control of the target’s computer.

Impact

The Credential Security Support Provider (CredSSP) Protocol enables an application to securely delegate a user's credentials from a client to a target server.  CredSSP protocol has been designed to be used by RDP (Remote Desktop Protocol) and Windows Remote Management (WinRM).  CredSSP then initiates securely forwarding the credentials, which is encrypted from the Windows client to the target servers for remote authentication.[1]

The issue dubbed as CVE-2018-0886 has been discovered by researchers.  The vulnerability is a logical cryptographic flaw in CredSSP that can be exploited by a man-in-the-middle attacker.  This through Wi-Fi or physical access to the network to steal session authentication data and perform a Remote Procedure Call attack.[2]  Since RDP is a widely-used protocol and almost all enterprises use RDP, it makes their networks more vulnerable.

Unfortunately, all versions of Windows are affected by this vulnerability.

Prevention and Mitigation Strategies

We highly recommend that our customers patch their workstations and servers using available updates from Microsoft. As of 13 March 2018, Microsoft released various security patches.[3] 

Researchers have warned that patching alone is not sufficient to prevent this attack.  IT professionals are also required to make configuration changes to stay protected.  Blocking the relevant application ports to include RDP and DCE/RPC, if they are not used, is highly recommended to prevent an attack.

For questions or comments regarding this report, please contact the lab directly by at 603-606-1246, or feedback@wapacklabs.com

 

[1] https://msdn.microsoft.com/en-us/library/cc239708.aspx

[2] https://thehackernews.com/2018/03/credssp-rdp-exploit.html

[3] https://technet.microsoft.com/en-us/security/bulletins

Views: 20
E-mail me when people leave their comments –
Follow

You need to be a member of Red Sky Alliance to add comments!