If you work in an office – whether on site or off-site, you must have asked your IT administrator to fix an issue a number of times on your system on an immediate basis – and he would have done that remotely, without a glitch. Especially, with remote work scenarios becoming more common, RDP (Remote Desktop Protocol) stands as an easy and quick way to seek help from your IT admin from anywhere, anytime.
The RDP functionality has been around in one form or the other since Windows XP. Through this, the IT administrators can easily take control of your system and fix issues directly and quickly.
But, the recently found CVE-2018-0886 vulnerability in CredSSP, is a big threat to remote connections.
The following article will guide you through the CVE-2018-0886 – CredSSP Remote Code Execution Vulnerability and how you can safeguard your remote connections from this vulnerability.
What is CredSSP CVE-2018-0886 vulnerability?
CredSSP or Credential Security Support Provider protocol is a kind of authentication provider that processes the authentication requests for different applications and is used by RDP and WinRM (Windows Remote Management).
The unpatched versions of the CredSSP has been found to contain a remote code execution vulnerability. If it is found and exploited by an attacker, he can relay the user credentials to execute any code on the target system. Thus, any application that depends upon CredSSP for remote desktop connections is at maximum risk.
The CVE-2018-0886 vulnerability can allow remote code execution through any physical or wi-fi based attack or man-in-the-middle attack, where the attacker can easily steal any important data during the authentication process.
The vulnerability has the potential to affect all Windows versions till date. Though Microsoft claims that the bug has not been exploited yet, it advises that if left unattended, it can cause some serious damage.
Enterprise environments are at a larger stake due to the increased use of RDP, not to mention the small businesses who outsource their entire IT system administration. Thus, an attacker with an admin account can cause heinous damages.
Microsoft recently announced a preliminary fix to the vulnerability present in all the supported versions of Windows – any client or server version of Windows from 2008 onwards.
How Remote Desktop Connection Error occurs?
To find this out, let’s look at the major updates introduced by Microsoft since the breakout of the vulnerability. It has introduced the following updates:
March 13, 2018 update:
Under this, Microsoft released updates for CredSSP authentication protocol and the remote desktop clients for all the affected platforms.
All eligible clients and servers needed to install the update. User should update the Group Policy setting to manage the client and server systems’ settings. The system administrators must apply the policy and go for “Force updated clients” or “Mitigated” on both the client and server systems.
April 17, 2018 update:
Microsoft in its KB 4093120 addressed the RDP update to enhance the error message that is displayed when a client who has updated the Windows fails to connect with a server on which the update has not been installed yet.
May 8, 2018 update:
The latest update recommends users to change the default protection level from vulnerable to mitigated.
For the systems on which the patch has not downloaded, the remote connection breaks in between showing an error message:
The error is found due to combination of the following reasons:
- An NLA (Network Level Authentication) is activated on the target computer.
- The target computer has not been patched for CVE-2018-0886.
- You probably enforced the Force updated clients or Mitigated parameters on source computer.
Most commonly, the error message will appear when the RDP client (the source machine) has been patched with the latest Windows update, but the server you’re connected to has not downloaded the patch for the CredSSP vulnerability.
How to fix the Remote Desktop Connection error issue?
To get rid of the remote connection error, you have two options:
- Update the remote server with the patch for the CredSSP issue (Recommended)
- Update the Group Policy present in your local client.
In the Local Group Policy Editor, perform the following:
Computer Configuration -> Administrative Templates -> System -> Credentials Delegation -> Encryption Oracle Remediation
Update it to Enable, and in the protection level, change back to Mitigated. Under Mitigated, the client applications that use CredSSP will resist from falling back to the insecure versions.
Refer Microsoft Knowledge Base numbers listed in CVE-2018-0886 for more information.