The researchers at Cybersecurity Firm Preempt Security have found a critical vulnerability in Credential Security Support Provider protocol (CredSSP) which could infect all versions of Windows and could allow remote attackers to utilize the RDP and WinRM to abstract data and run malicious code.
Credential Security Support Provider protocol (CredSSP) enables an application to securely delegate a user’s credentials from a client to a target server. It has been designed for use by Remote Desktop Protocol (RDP) and Windows Remote Management (WinRM) which manages to securely forward the credentials encrypted from the Windows client to the target servers for remote authentication.
This issue which was discovered (CVE-2018-0886) is a logical cryptographic flaw in CredSSP and can be exploited by a man-in-the-middle attacker with Wi-Fi or gain physical access to the network to plagiarize session authentication data and perform a Remote Procedure Call attack.
During the client server authentication over RDP and WinRM connection protocols, a man-in-the-middle attacker will be able to execute remote commands to weaken the enterprise networks.
“An attacker which have stolen a session from a user with sufficient privileges could run different commands with local admin privileges. This is especially critical in case of domain controllers, where most Remote Procedure Calls (DCE/RPC) are enabled by default,” says Yaron Zinar, lead security researcher for Preempt.
“This could leave enterprises vulnerable to a variety of threats from attackers including lateral movement and infection on critical servers or domain controllers.”
The vulnerability is more to a large number of networks as currently, RDP is the most popular application to perform remote logins and most of the enterprise customers are using it.
In August 2017, this unknown remote code vulnerability was discovered and reported by the Preempt Researchers to Microsoft. But almost after 7 months of reporting the Microsoft have published a fix for the protocol just today as part of its Patch Tuesday release.
In order to safeguard yourself and your organizations against the CredSSP exploit, you are suggested to patch their workstations and servers with the updates available from the Microsoft.
It is advised that the patching alone is not enough to prevent this issue, besides the IT professionals are also recommended to make some configuration to apply the patch and be protected.
Another method is to block the relevant application ports including RDP and DCE/RPC. Researchers also warn that this attack could even be implemented in multiple ways, by using different protocols.
So, to ensure protection to your network, it is best to decrease the usage of privileged account as much as possible and try to use non-privileged accounts whenever possible.
As part of March 2018 Patch Tuesday, Microsoft has also released security patches for its other products, including Microsoft IE and Edge browser, Windows OS, Microsoft Office, PowerShell, Core ChakraCore, as well as Adobe Flash player.