[German]In advance to the today’s patch day a small hint about CredSSP updates for Windows. Microsoft’s CredSSP updates can kill remote desktop connections between Linux and Windows.
Some background information about CredSSP
All versions of Windows have a critical vulnerability in the Credential Security Support Provider (CredSSP). The CVE-2018-0886 vulnerability now allows remote attackers to use RDP and WinRM connections to steal data or run malware. I recently mentioned this topic in the German blog post CredSSP-Sicherheitslücke in RDP unter Windows.
Microsoft therefore intends to exclude unpatched systems from RDP connections in future for security reasons. I had mentioned that within the blog post Microsoft will block RDP connections from clients soon. The next RDP update is scheduled for April 17. Microsoft has summarized what you need to know in KB4093492 (CredSSP updates for CVE-2018-0886) for Windows clients and Windows servers.
Attention: CredSSP collides with rdesktop
According to Wikipedia, rdesktop is an open source program that can establish an RDP connection from Unix-like operating systems to Microsoft Windows. Now there is probably a problem in the interaction of rdesktop and the CredSSP changes planned by Microsoft. I came across a warning from an administrator at German site administrator.de. The user wrote (translated):
KB4093492 describes necessary patches and policies to secure CredSSP, which is used for RDP connections with Single Sign on.
If you have patched and secured this in your network, make sure that remote connections from Linux clients (e.g. via rdesktop) are still working.
Here, on SUSE Leap, no RDP connection to Windows computers can be established unless NLA is disabled on the Windows side.
Otherwise the error “CredSSP required by server” occurs on Linux.
So: for compatibility with rdesktop (if needed) disable NLA, or set the patch to “mitigated”, not “Force updated clients”!
If you have set the GPO to “Force updated clients” and still have compatible Linux RDP clients, I would be very interested to know which ones.
Network Level Authentication has been introduced with RDP 6.0 (supported from Windows Vista onward). NLA requires user authentication before a remote desktop session with the server is established (Microsoft describes the advantages here – e.g. protection against denial of service attacks).
NLA uses CredSSP to present the user’s credentials to the server for authentication before creating a session. If Microsoft is now patching around with CredSSP, this may affect the RDP connections.
During writing this blog post I stumbled uppon this Technet forum thread, discussing sporadic issues with Windows 7 RDP connections to Windows Server 2012 R2. There it was a RDS certificate causing issues. It’s a different case, but I find the explanations interesting.
The error “CredSSP required by server”
The error “CredSSP required by server” is probably a permanent trouble maker between Linux and Windows (according to this article). I found the article interesting, because it describes the background and some workarounds. The author of this article suggested freerdp as RDP client, because it works.
It may be that it’s an individual observation (I cannot test anything at the moment for various reasons). So the blog post should be a ‘mention’ and give you a hint, it things went wrong. You can left a feedback here if necessary whether you are affected and if you have solved it differently.
CredSSP-Sicherheitslücke in RDP unter Windows (German)
Microsoft will block RDP connections from clients soon