CredSSP Flaw Allows Attackers to Exploit Remote Desktop and
Windows Remote Management, Affecting All Windows Versions
To-Date
RAMAT GAN, Israel, March 13,
2018 /PRNewswire/ -- Preempt, a leader in adaptive
threat prevention that helps enterprises eliminate insider threats
and security breaches, today announced its research team found a
critical Microsoft vulnerability that consists of a logical flaw in
Credential Security Support Provider protocol (CredSSP), which is
used by Remote Desktop and WinRM in the authentication process.
CredSSP is responsible for taking care of securely forwarding
credentials to the target server. Researchers found that an
attacker with man-in-the-middle control over the session can abuse
it to achieve the ability to remotely run code on the compromised
server on behalf of a user.
With remote desktops being the most popular application to
perform remote logins, this vulnerability poses extreme concern.
This could leave enterprises vulnerable to a variety of threats
from attackers including lateral movement and infection on critical
servers or domain controllers. The vulnerability affects all
Windows versions to date (starting with Windows Vista).
"This vulnerability is a big deal, and while no attacks have
been detected in the wild, there are a few real-world situations
where attacks can occur," said Roman
Blachman, CTO and co-founder at Preempt. "Ensuring that your
workstations are patched is the logical, first step to preventing
this threat. It's important for organizations to use real-time
threat response solutions to mitigate these types of threats."
With this vulnerability, organizations are susceptible to having
an attack mounted with simple Wi-Fi or physical access. If an
attacker has access, they can launch a man-in-the-middle attack.
Other ways like Address Resolution Protocol (ARP) poisoning and
attacking sensitive servers through vulnerable routers and switches
will enable the attack.
Organizations can protect themselves from this vulnerability in
a few ways:
- Preempt customers have been protected from this flaw by
providing in-depth defense with both alerting and real-time
prevention when vulnerabilities, such as CredSSP flaw, are
exploited in the network.
- Make sure that workstations and servers are properly patched.
This is a basic requirement. However, it is important to note that
patching alone is not enough as IT professionals will also need to
make a configuration change to apply the patch and be
protected.
- As with many previous exploits, blocking the relevant
application ports (RDP, DCE/RPC) would also thwart attack. However,
that this attack could be implemented in different ways, even using
different protocols.
- Reduce privileged account usage as much as possible and use
non-privileged accounts whenever applicable
- For more details on how organizations can protect themselves,
read this blog: Security Advisory: Critical Vulnerability in
CredSSP Allows Remote Code Execution on Servers (CVE-2018-0886)
As of March 13, 2018, Microsoft
has issued a CVE-2018-0886 patch per
Preempt's responsible disclosure of the CredSSP
vulnerability.
Additional Resources
- Overview blog of CredSSP issues and steps to protect your
organization
- Technical blog on how Preempt researchers were able to exploit
MS-RDP
- Video demonstration of the CredSSP exploit
About Preempt
Preempt protects organizations by
eliminating insider threats and security breaches. Threats are not
black or white and the Preempt Platform is the only solution that
delivers adaptive threat prevention that continuously preempts
threats based on identity, behavior and risk. This ensures that
both security threats and risky employee activities are responded
to with the right level of security at the right time. The platform
easily scales to provide comprehensive identity based protection
across organizations of any size. The company is headquartered in
San Francisco, CA. Learn more
about us at www.preempt.com.
For further information, please contact:
Jacqueline Velasco
Lumina Communications for Preempt
T: 408-680-0564
E: preempt@luminapr.com
Logo -
https://mma.prnewswire.com/media/547098/preempt_security_logo_Logo.jpg