Security expert Joe Tammariello of Carnegie Mellon University Software Engineering Institute (SEI), discovered a new
The flaw, tracked as CVE-2019-9510, could be exploited by client-side attackers to bypass the lock screen on remote desktop (RD) sessions.
In order to exploit the flaw, the attacker requires physical access to a targeted system, for this reason, it received a CVSS score of 4.6 (medium severity). The flaw affects versions of Windows starting with Windows 10 1803 and Server 2019.
The vulnerability resides in the way Microsoft Windows Remote Desktop feature requires clients to authenticate with Network Level Authentication (NLA).
“Microsoft Windows RDP Network Level Authentication can allow an attacker to bypass the lock screen on remote sessions.” reads the advisory published by the CERT/CC.
“Starting with Windows 10 1803 and Windows Server 2019, Windows RDP handling of NLA-based RDP sessions has changed in a way that can cause unexpected behavior with respect to session locking. If a network anomaly triggers a temporary RDP disconnect, upon automatic reconnection the RDP session will be restored to an unlocked state, regardless of how the remote system was left. “
When a network anomaly occurs it could trigger a temporary RDP disconnect, but upon automatic reconnection the RDP session will be restored to an unlocked state. The RDP session will be restored without considering the status of the remote system before the disconnection. For example, consider the following steps:
Below the attack scenario described by the CERT:
An attacker can interrupt the network connectivity of the RDP client system, this will cause the session with the remote system being unlocked without providing credentials.
The advisory published by the CERT/CC states that two-factor authentication systems that integrate with the Windows login screen (i.e. Duo Security MFA) could be bypassed exploiting the CVE-2019-9510 flaw.
“Two-factor authentication systems that integrate with the Windows login screen, such as Duo Security MFA, are also bypassed using this mechanism. Any login banners enforced by an organization will also be bypassed.” continues the advisory.
Tammariello reported the flaw to Microsoft on April 19, but the company did not acknowledge the flaw
“[The] behavior does not meet the Microsoft Security Servicing Criteria for Windows,” states the company.
(SecurityAffairs – RDP, CVE-2019-9510)