CVE-2018-0886 is the identifier of a critical flaw found in Credential Security Support Provider (CredSSP). The vulnerability affects all versions of Windows and allows malicious hackers remote access to exploit RDP (Remote Desktop Protocol) and WinRM (Windows Remote Management).
CVE-2018-0886 – Technical Details
Upon successful exploit, hackers could run malicious code and steal sensitive data from compromised systems. The flaw was disclosed by researchers at Preempt Security.
“A remote code execution vulnerability exists in the Credential Security Support Provider protocol (CredSSP). An attacker who successfully exploited this vulnerability could relay user credentials and use them to execute code on the target system”, Microsoft explained.
It should be noted that CredSSP is an authentication provider which processes authentication requests for other applications. This leaves any application depending on the CredSSP for authentication vulnerable to such an attack.
As explained by Microsoft says that:
As an example of how an attacker would exploit this vulnerability against Remote Desktop Protocol, the attacker would need to run a specially crafted application and perform a man-in-the-middle attack against a Remote Desktop Protocol session. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
More specifically, when a client and server authenticate via RDP and WinRM protocols, a man-in-the-middle attack can be initiated. Such an attacker would be able to execute commands remotely and thus compromise entire networks. The exploit of this vulnerability could be quite severe depending on the enterprise networks targeted in attacks.
“An attacker which have stolen a session from a user with sufficient privileges could run different commands with local admin privileges. This is especially critical in case of domain controllers, where most Remote Procedure Calls (DCE/RPC) are enabled by default,” explained Yaron Zinar, lead security researcher at Preempt, the security company that came across CVE-2018-0886.
Update That Corrects the Vulnerability Is Available
Fortunately, a security patch addressing the flaw has already been released. The update corrects how CredSSp validates requests during the authentication process.
What should users do to protect themselves for this attack? They should enable Group Policy settings on their systems and update their Remote Desktop clients as soon as possible. Keep in mind that Group Policy settings are disabled by default to prevent connectivity problems. To learn how to enable them, users should follow the instructions presented here.
The update was issued on March 2018’s “Patch Tuesday”, the overall security update fixed a total of 75 issues.