A critical flaw in Credential Security Support Provider protocol (CredSSP) affects all versions of Windows

Pierluigi Paganini March 13, 2018

Security experts at firm Preempt Security discovered a critical vulnerability in Credential Security Support Provider protocol (CredSSP) that affects all versions of Windows to date.

The flaw, tracked as CVE-2018-0886, could be used by a remote attacker to exploit RDP (Remote Desktop Protocol) and Windows Remote Management (WinRM) to steal data and run malicious code.

The vulnerability is a logical cryptographic issue in CredSSP that can be exploited by an attacker in a man-in-the-middle position to steal session authentication data and perform a Remote Procedure Call attack.

An attacker with WiFi/Physical access to your network could easily launch a man-in-the-middle attack.

The CredSSP protocol enables an application to securely delegate a user’s credentials from a client to a target server, it works with both RDP and WinRM.

When a client and server authenticate over RDP and WinRM, a man-in-the-middle attacker can execute remote commands on the target system. The attacker waits for a CredSSP session to occur, then it will steal session authentication and perform a Remote Procedure Call (DCE/RPC) attack on the server that the user originally connected to.

“An attacker which have stolen a session from a user with sufficient privileges could run different commands with local admin privileges. This is especially critical in case of domain controllers, where most Remote Procedure Calls (DCE/RPC) are enabled by default,” explained Yaron Zinar, security experts for Preempt.

“This could leave enterprises vulnerable to a variety of threats from attackers including lateral movement and infection on critical servers or domain controllers.”

CredSSP

Researchers discovered the flaw in August 2017 and reported it to Microsoft that solved the issued today as part of March 2018 Patch Tuesday.

Users need to patch their installs by updating security updates issued by Microsoft.

Preempt researchers pointed out that patching alone is necessary but not sufficient to the exploitation of the flaw. Admins need to make some configuration to apply the patch and be secure.

“However, it is important to note that patching alone is not enough as you will also need to make a configuration change to apply the patch and be protected. For further details on how to apply the patch refer to Microsoft advisory.” continues the security advisory.

“As with many previous exploits, blocking the relevant application ports/services (RDP, DCE/RPC) would also thwart the attack. It is recommended to apply the proper network segmentation policy and block unnecessary ports/services.”

Another best practice to follow consist of decreasing the use of privileged account as much as possible in favor of non-privileged accounts is possible.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – CredSSP, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment