Dangerous CredSSP flaw opens door into corporate servers

A critical vulnerability in the Credential Security Support Provider protocol (CredSSP), introduced in Windows Vista and used in all Windows versions since then, can be exploited by MitM attackers to run code remotely on previously uninfected machines and servers in the attacked network.

CredSSP flaw

About CredSSP

CredSSP provides single sign-on (SSO) and network level authentication for Remote Desktop Services, the Windows component that allows a user to take control of a remote computer or virtual machine over a network connection.

It is also used by Microsoft’s proprietary Remote Desktop Protocol (RDP) and Windows Remote Management (WinRM), which is responsible for PowerShell remoting and Event Log Forwarding.

CredSSP takes care of securely forwarding credentials to target servers for remote authentication.

About the vulnerability (CVE-2018-0886)

The vulnerability was discovered by Preempt Security researchers and responsibly disclosed to Microsoft. The latter pushed out a fix for it today.

According to the researchers, the vulnerability is mathematically and technically complex, but also very easy to utilize and has a nearly 100 percent success rate.

In many real-world scenarios where a network has vulnerable network equipment, the vulnerability could result in an attacker gaining the ability to move laterally and infect critical servers (including domain controllers) with malicious software, they say.

“In Preempt internal research, we found that almost all enterprise customers are using RDP, making them vulnerable to this issue,” the researchers pointed out.

Extensive technical details about it can be found in this blog post.

Potential attacks

“This vulnerability is a big deal, and while no attacks have been detected in the wild, there are a few real-world situations where attacks can occur,” notes Roman Blachman, CTO and co-founder at Preempt.

Exploitation of the flaw depends on the attacker achieving a man-in-the-middle position on the target network.

An attacker having physical access to it can achieve it easily. ARP poisoning is another way to do it.

“If you have WiFi deployed in areas of your network, you might be vulnerable to key reinstallation attacks (KRACK), thus making all machines that do RDP via WiFi exposed to this new attack,” the researchers also noted.

The vulnerability allows the attacker to intercept the initial RDP connection between a client and a server and provide back to the client a malicious command presented as the server’s public key. The client signs the command, the attacker sends it to the server, and the server executes it because it has been validly signed by the client.

The result: The server runs malicious code with privileges of the connecting client.

An attacker that has stolen a session from a user with sufficient privileges could run different commands with local admin privileges. “This is especially critical in case of domain controllers, where most Remote Procedure Calls (DCE/RPC) are enabled by default,” the researchers pointed out.

Here’s a video demonstration of the CredSSP exploit, as it looks on the client, server, and attack machines:

Preventing exploitation

As mentioned before, a patch for CVE-2018-0886 has been released today by Microsoft.

Preempt researchers advise installing it on workstations and servers as soon as possible and note that sysadmins will need to make a configuration change to apply it. Instructions on how to do that have been provided here.

“As with many previous exploits, blocking the relevant application ports (RDP, DCE/RPC) would also thwart an attack. However, that this attack could be implemented in different ways, even using different protocols,” the researchers added, and noted that reducing privileged account usage as much as possible and using non-privileged accounts whenever applicable is also a good idea.

According to them, the vulnerability has very little affect on non-enterprise (home) users as they are most likely not using Kerberos.