{"uuid": "72bef5e1-ef52-42e9-9a8c-030abb5b9e56", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2018-0886", "type": "seen", "source": "https://t.me/information_security_channel/14269", "content": "Microsoft Patches Remote Code Execution Flaw in CredSSP\nhttp://feedproxy.google.com/~r/Securityweek/~3/ZyvlNR9ld1Y/microsoft-patches-remote-code-execution-flaw-credssp\n\nA vulnerability (CVE-2018-0886) patched by Microsoft with its March 2018 security patches was a remote code execution flaw in the Credential Security Support Provider protocol (CredSSP) used by Remote Desktop Protocol (RDP) and Windows Remote Management (WinRM).\nThis vulnerability can be exploited by an attacker to relay user credentials to execute code on a target system. The authentication provider, Microsoft explains, processes authentication requests for other applications, meaning that the vulnerability puts all applications that depend on CredSSP at risk. \nPreempt, which discovered the bug, explains that this is a logical vulnerability that affects all Windows versions to date. With almost all enterprise customers using RDP, exploitation of this vulnerability could have a vast impact, the researchers say. \nCybercriminals can set up a man-in-the-middle attack, wait for a CredSSP session, and then steal session authentication to perform a Remote Procedure Call (DCE/RPC) attack on the server the user attempted to connect to. \nChris Morales, head of security analytics at Vectra, pointed out to SecurityWeek in an emailed comment that this type of activity could rather be considered a form of internal reconnaissance that any company properly monitoring their internal environment should be able to detect. \n\u201cIn the big picture, there are a lot of variables that have to be right in a targeted environment for this attack to succeed. Most importantly, the attacker needs to already be on the network and in a position between the clients and servers. If an attacker is already that deep in the network, there are many other things they could do scope out a network, find authentication accounts and compromise a server,\u201d Morales said.\nOnce they managed to steal the session, the attacker can run commands to install programs, read / modify / delete data, or create new accounts with full user rights.\nScenarios in which the vulnerability can be exploited include those where the attacker has some physical access to the targeted network, those where Address Resolution Protocol (ARP) poisoning is used for lateral movement, or those where the attacker is targeting sensitive servers via vulnerable routers or switches, Preempt says. The company also published a video detailing the vulnerability. \n\u201cTo be fully protected against this vulnerability users must enable Group Policy settings on their systems and update their Remote Desktop clients. The Group Policy settings are disabled by default to prevent connectivity problems,\u201d Microsoft explains. \nThe vulnerability impacts Windows 7, Windows 8.1, and Windows 10 systems, as well as Windows Server 2008, Windows Server 2012, and Windows Server 2016. \nTo address the issue, Microsoft released an update to correct the manner in which CredSSP validates requests during the authentication process. The update patches the CredSSP authentication protocol and the Remote Desktop clients for all affected platforms.\n\u201cMitigation consists of installing the update on all eligible client and server operating systems and then using included Group Policy settings or registry-based equivalents to manage the setting options on the client and server computers. We recommend that administrators apply the policy and set it to \u201cForce updated clients\u201d or \u201cMitigated\u201d on client and server computers as soon as possible,\u201d Microsoft says. \nThe software giant also explains that this patch is only the first update it is releasing to address the issue. An update planned for next month should \u201cenhance the error message that is presented when an updated client fails to connect to a server that has not been updated,\u201d while another planned for May should \u201cchange the default setting from Vulnerable to Mitigated.\u201d", "creation_timestamp": "2018-03-14T17:48:12.000000Z"}