CredSSP Updates Breaks RDP
CVE-2018-0886, was fixed in March's Patch Tuesday software update, and involved Microsoft's implementation of its Credential Security Support Provider protocol (CredSSP).
CredSSP protocol is a windows-specific mechanism which is responsible for securely forwarding authentication credentials between a client and a remote server in an internal network/domain.
CredSSP is a fundamental part of the Remote Desktop Protocol and Windows Remote Management service. Both are vulnerable to an exploitation. An attacker can exploit the CredSSP vulnerabililty to execute remote commands when users try to authenticate during RDP or WinRM sessions.
Security researchers who discovered this flaw when researching the authentication for RDP protocol suggested that users apply April months security updates to prevent future attempts of manipulation.
After installing this patch on a vulnerable workstation and attempt to connect to an unpatched server, users will face the following error message when they attempt to authenticate to RDP session.
This error is seen when the patch is only applied to a client side and not the server side. Therefore, to overcome this you need to ensure that the patch is also applied to the server.
On the other hand, there is also a local policy setting which is added with the installed security updates. This policy can be found under Computer Configuration >> Administrative templates >> System >> Credentials Delegation >> Encryption Oracle Remediation. This is set to “Not Configured” by default.
This policy could be set to “Enabled” and protection level to Vulnerable as a workaround. Setting this policy to Vulnerable will allow your workstation to now connect to the RDP session that was earlier blocked by the mitigation. However, this is not recommended by Microsoft and ensuring that both the client and server is patched is a best practice.
This goes to show that patching is becoming important as ever as new security vulnerabilities arise on daily basis. Applying Microsoft patches on regular basis is important for data centers which run Microsoft server operating systems. Mitigating known security vulnerabilities will reduce the attack surface radically and robust your systems against for the attacker.
Ivanti Patch for Windows Servers is powerful tool which will make your patch management easier than ever and help you overcome vulnerabilities like the ones discussed above.