[German]Due to a critical vulnerability in Microsoft’s Credential Security Support Provider (CredSSP), the company plans to block RDP connections from unpatched clients to Windows Servers in the future. Administrators need to update all clients and servers, to avoid this situation.
What is it about?
All versions of Windows have a critical vulnerability in the Credential Security Support Provider (CredSSP). The critical vulnerability lies in the Credential Security Support Provider Protocol (CredSSP), which is used in all previous versions of Windows. The CredSSP protocol was developed for use by RDP (Remote Desktop Protocol) and Windows Remote Management (WinRM). The protocol securely forwards the credentials encrypted by the Windows client to the target servers for remote authentication.
Vulnerability CVE-2018-0886 allows remote attackers to use RDP and WinRM connections to steal data or run malware. I recently mentioned this topic in the German blog post CredSSP-Sicherheitslücke in RDP unter Windows.
The vulnerability was reported to the MSRC in August 2017. Microsoft has closed this vulnerability (CVE-2018-0886) in the CredSSP implementation with the March 2018 update (see also Patchday: More Microsoft Updates (March 13, 2018)).
Microsoft’s kb article 4093492 about the vulnerability within the Credential Security Support Provider Protocol (CredSSP) not only explains the vulnerability. Microsoft also strongly recommends that administrators install the update on servers and clients throughout. Furthermore, the Group Policies must be adapted so that the “Force Updates Clients” and “Mitigated” settings are activated as soon as possible, both on the server and on the clients. This should protect the servers against insecure (unpatched) clients.
Unpatched clients connections will be blocked
According to The Register (see this article), Microsoft will block Windows Server RDP clients, that hasn’t been patched against the vulnerability, will be blocked (can’t be authenticated by the servers). This is to prevent attackers from abusing RDP connections to take over systems and move laterally within a network. Microsoft also explains in detail in KB article 4093492 how they will prevent the vulnerability from being exploited with updates.
March 13, 2018
The initial March 13, 2018, release updates the CredSSP authentication protocol and the Remote Desktop clients for all affected platforms. Mitigation consists of installing the update on all eligible client and server operating systems and then using included Group Policy settings or registry-based equivalents to manage the setting options on the client and server computers. We recommend that administrators apply the policy and set it to “Force updated clients” or “Mitigated” on client and server computers as soon as possible. These changes will require a reboot of the affected systems.
Pay close attention to Group Policy or registry settings pairs that result in “Blocked” interactions between clients and servers in the compatibility table later in this article.
April 17, 2018 (tentative)
The Remote Desktop Client (RDP) update will enhance the error message that is presented when an updated client fails to connect to a server that has not been updated.
May 8, 2018 (tentative)
An update to change the default setting from Vulnerable to Mitigated. During the Black Hat Asia conference, The Register learned that this May patch will cause unpatched RDP clients to be rejected by patched Windows servers. This prevents the vulnerability from being exploited.