Home / Networking / Windows RDP flaw: 'Install Microsoft's patch, turn on your firewall'

Windows RDP flaw: 'Install Microsoft's patch, turn on your firewall'


Video: Microsoft fends off mining malware attack.

Microsoft’s Patch Tuesday updates for March deliver fixes for 75 security bugs, including patches for 15 critical flaws and a serious vulnerability that exposes sysadmins to credential theft.

In addition to new updates to mitigate Meltdown and Spectre, Microsoft has released fixes for 15 critical flaws affecting the scripting engine in Internet Explorer 11 and its JavaScript engine ChakraCore in Microsoft Edge. There are also 61 important fixes for Windows, Office, and ASP.NET Core.

An important-rated bug that’s caught the attention of several security firms is CVE-2018-0886, a remote code execution flaw that affects CredSSP, or the Credential Security Support Provider protocol.

CredSSP is used in Microsoft’s widely used Remote Desktop Protocol (RDP) and Windows Remote Management (WinRM) to relay user credentials from a client to an application’s server.

Microsoft says, “CredSSP is an authentication provider which processes authentication requests for other applications; any application which depends on CredSSP for authentication may be vulnerable to this type of attack.”

It’s rated as important as it can only be exploited in tandem with a man-in-the-middle attack. However, in that position, the attacker could steal session authentication from a user with local administrative privileges and then run unauthorized commands on a target server with the same privileges.

Preempt, the security firm that reported it, has a write-up of several issues behind the bug and in a more detailed technical report.

As Preempt notes, this bug isn’t an attacker’s entry point but rather a technique for lateral movement and privilege escalation after they’ve either gained physical access to the target’s Wi-Fi network, or once they’ve exploited a remote code execution in a firm’s routers, such as Cisco’s severe ASA VPN bug that was patched through January and February.

“The attacker will set up the man-in-the-middle, wait for a CredSSP session to occur, and once it does, will steal session authentication and perform a Remote Procedure Call (DCE/RPC) attack on the server that the user originally connected to (eg, the server user connected with RDP),” explains Preempt researcher Yaron Zinar.

“An attacker [who has] stolen a session from a user with sufficient privileges could run different commands with local admin privileges. This is especially critical in the case of domain controllers, where most Remote Procedure Calls (DCE/RPC) are enabled by default.”

If the attacker exploits a vulnerable router, they would infect a router near the server and wait for an IT admin to log in to the server using RDP.

The attacker may also exploit the recent KRACK Wi-Fi key reinstallation vulnerabilities to use this attack against any machine with RDP enabled over Wi-Fi.

Zinar’s colleague, Eyal Karni notes customers can mitigate the flaw by ensuring the Windows firewall is on, because RPC is not enabled by default for any interface.

However, domain admins are particularly vulnerable to this attack until Microsoft’s patch has been installed.

“This is because a rule concerning RPC exists in Domain Controllers that enables any svchosts.exe DCOM interfaces. Furthermore, a quick survey found that RDP is the most common way in which domain admins tends to access the DC. In other words, by exploiting this attack, an attacker is likely to gain full control over the domain,” writes Karni.

Microsoft was informed of the issue in August, but needed an extension well beyond the agreed 90-day disclosure timeframe to deliver a fix, according to Preempt’s timeline.

Microsoft has a fix available for every supported version of Windows and Windows Server, but admins will also need to make configuration changes to fully remediate the bug. Microsoft has provided group policy instructions.

microsoftbuildingistock-922023956.jpg

As well as fixes for 15 critical flaws affecting the scripting engine in Internet Explorer 11 and its JavaScript engine ChakraCore in Microsoft Edge, Microsoft has issued 61 important fixes for Windows, Office, and ASP.NET Core.


Image: Getty Images

Previous and related coverage

Windows 10 warning: Beware staff planting cryptominers on work systems, says Microsoft

Microsoft now sees over 600,000 PCs exposed to coin-mining malware each month.

Windows 10 ‘Redstone 4’ test build adds some Windows Defender security tweaks

Microsoft is continuing to polish its coming Windows 10 release with Fast Ring Insider Build 17120 as it heads toward the finish line.

Spy malware secrets: How complex ‘Slingshot’ hit targets via hacked routers

Slingshot malware infects PCs via files downloaded from compromised routers.



Source link

About admin

I'm a 50 year old PLC programmer from Burnley, UK. I severed my time as an electrician in the baking industry and soon got involved with the up and coming technology of PLC's. Initially this was all based in the Uk but as the years went by I have gradually worked my way around the globe. At first it was mainly Mitsubishi with a bit of Modicon thrown in but these days the industry leaders seem to be the Allen Bradley range of PLC and HMI’s.

Check Also

​Kubernetes' first major security hole discovered

techrepublic Kubernetes: The smart person’s guide Kubernetes is a series of open source projects for ...

Leave a Reply

Your email address will not be published. Required fields are marked *