14
MARCH, 2018
Windows
Patching
Vulnerability
Microsoft has released a patch for CVE-2018-0886, a critical vulnerability affecting the Credential Security Support Provider (CredSSP) protocol.
The vulnerability exploits Remote Desktop Protocol (RDP) and Windows Remote Management (WinRM) on all Windows versions ever released, allowing an attacker who is successful to relay user credentials to execute code on the target system.

If the victim’s network has vulnerable equipment, it could result in an attacker gaining the ability to move laterally and infect Windows domain controllers with malicious software.

How can attackers exploit the flaw?

An attacker can exploit this vulnerability by launching a man-in-the-middle (MITM) attack to execute remote commands when users are trying to authenticate during RDP or WinRM sessions. Once a CredSSP session occurs, the attackers can steal session authentication and perform a Remote Procedure Call (DCE/RPC) attack on the server that the user originally connected to. Once the attacker has gained privileged access to the system, they can run different commands and install payloads with local admin privileges.

Screenshot of exploit scenario

This attack could be mounted through many scenarios, including:

An Attacker with WiFi or Physical Access
 

If an attacker has physical access to your network, then they could easily launch a MITM attack. You might also be vulnerable to attacks like KRACK, making all machines that do RDP via WiFi exposed to this new attack.

 

Address Resolution Protocol (ARP) Poisoning
 

This vulnerability means an attacker with control of one machine could easily move laterally and infect all machines in the same network segment.

Vulnerable Routers/Switches
An attacker can simply infect the router/switch near the server and wait for an IT admin to log-on to the server using RDP.   
Recommendations

Apply the Microsoft patch for CVE-2018-0886, as soon as possible, found here: 

https://portal.msrc.microsoft.com/en-us/security-guidance  

Keep Up To Date

Join our mailing list to receive the latest news and updates from Secrutiny.

We hate spam and promise to keep your email address safe. You can always unsubscribe at any time…