A critical vulnerability in the Credential Security Support Provider protocol (CredSSP), introduced in Windows Vista and used in all Windows versions since then, can be exploited by MitM attackers to run code remotely on previously uninfected machines and servers in the attacked network.
CredSSP provides single sign-on (SSO) and network level authentication for Remote Desktop Services, the Windows component that allows a user to take control of a remote computer or virtual machine over a network connection.
It is also used by Microsoft’s proprietary Remote Desktop Protocol (RDP) and Windows Remote Management (WinRM), which is responsible for PowerShell remoting and Event Log Forwarding.
CredSSP takes care of securely forwarding credentials to target servers for remote authentication.
About the vulnerability (CVE-2018-0886)
The vulnerability was discovered by Preempt Security researchers and responsibly disclosed to Microsoft. The latter pushed out a fix for it today.
According to the researchers, the vulnerability is mathematically and technically complex, but also very easy to utilize and has a nearly 100 percent success rate.
In many real-world scenarios where a network has vulnerable network equipment, the vulnerability could result in an attacker gaining the ability to move laterally and infect critical servers (including domain controllers) with malicious software, they say.
“In Preempt internal research, we found that almost all enterprise customers are using RDP, making them vulnerable to this issue,” the researchers pointed out.
Extensive technical details about it can be found in this blog post.
“This vulnerability is a big deal, and while no attacks have been detected in the wild, there are a few real-world situations where attacks can occur,” notes Roman Blachman, CTO and co-founder at Preempt.
Exploitation of the flaw depends on the attacker achieving a man-in-the-middle position on the target network.
An attacker having physical access to it can achieve it easily. ARP poisoning is another way to do it.
“If you have WiFi deployed in areas of your network, you might be vulnerable to key reinstallation attacks (KRACK), thus making all machines that do RDP via WiFi exposed to this new attack,” the researchers also noted.
The vulnerability allows the attacker to intercept the initial RDP connection between a client and a server and provide back to the client a malicious command presented as the server’s public key. The client signs the command, the attacker sends it to the server, and the server executes it because it has been validly signed by the client.
The result: The server runs malicious code with privileges of the connecting client.
An attacker that has stolen a session from a user with sufficient privileges could run different commands with local admin privileges. “This is especially critical in case of domain controllers, where most Remote Procedure Calls (DCE/RPC) are enabled by default,” the researchers pointed out.
To read the original article: