Overview
The “Remote Code Execution” vulnerability in CredSSP has a fix (CVE-2018-0886). RDP links, however, can be impacted. The March 2018 Security Newsletter published the linkage. The vulnerabilities of the exploits that we saw were:
- Targets receive a malicious RTF Microsoft Office document.
- After opening, the malicious document allows the exploit’s second phase to be downloaded as a malicious code HTML page.
- The malicious code triggers the use-after-free memory-corruption bug
Accompanying shellcode. Then, it downloads and executes a malicious payload.
Symptoms
1. The OS is fully loaded and waiting for the credentials in the VM screenshot.
2. You will see the following message if you attempt to RDP the VM either internally or externally:
“There has been an authentication error.”
“CredSSP encryption oracle remediation may be to blame for this,”
For more information, see Microsoft Support.
Root Cause Analysis
A vulnerability in the Credential Security Support Provider (CredSSP) protocol was fixed by a monthly Windows update in May. There are two things in it:
- Correct the request validation method used by the Credential Security Support Provider protocol (CredSSP).
- Change the default option for Oracle Encryption Remediation in group policy from Vulnerable to Mitigated.
When establishing a secure RDP session, the server or client may refuse to connect if they have different expectations.
Furthermore, the tentative update may result in a modification to the present default setting. As a result, it affects the need for secure sessions.
The matrix for each potential RDP outcome condition is shown below:
Matrix for each possible situation for RDP result
Examples:
RDP will function securely if both the client and the server use the default setting (Mitigated).
Resolution/fix
In order to set up RDP securely, make sure to install the most recent patch on both the client and server sides.
Alternative Workarounds
Mitigation 1
In other words, if you can’t RDP to your patched client to VM, we might think about modifying the customer’s policy settings to temporarily get RDP access to the servers.
The Local Group Policy Editor will then allow you to modify the settings. Then, run gpedit.msc, and on the left side, navigate to Computer Configuration / Administrative Templates / System / Credentials Delegation:
Change Local Group Policy Editor
In other words, if you are unable to RDP to your patched client to VM, we may explore altering the customer’s policy settings to temporarily gain access to the servers via RDP.
In the Local Group Policy Editor, you can then modify the parameters. In the left panel, open gpedit.msc and navigate to Computer Configuration / Administrative Templates / System / Credentials Delegation:
Change Encryption Oracle Remediation
