Microsoft has released a patch for CVE-2018-0886, a critical vulnerability affecting the Credential Security Support Provider (CredSSP) protocol.
The vulnerability exploits Remote Desktop Protocol (RDP) and Windows Remote Management (WinRM) on all Windows versions ever released, allowing an attacker who is successful to relay user credentials to execute code on the target system.
If the victim’s network has vulnerable equipment, it could result in an attacker gaining the ability to move laterally and infect Windows domain controllers with malicious software.
How can attackers exploit the flaw?
An attacker can exploit this vulnerability by launching a man-in-the-middle (MITM) attack to execute remote commands when users are trying to authenticate during RDP or WinRM sessions. Once a CredSSP session occurs, the attackers can steal session authentication and perform a Remote Procedure Call (DCE/RPC) attack on the server that the user originally connected to. Once the attacker has gained privileged access to the system, they can run different commands and install payloads with local admin privileges.
This attack could be mounted through many scenarios, including:
An Attacker with WiFi or Physical Access
If an attacker has physical access to your network, then they could easily launch a MITM attack. You might also be vulnerable to attacks like KRACK, making all machines that do RDP via WiFi exposed to this new attack.
Address Resolution Protocol (ARP) Poisoning
This vulnerability means an attacker with control of one machine could easily move laterally and infect all machines in the same network segment.
An attacker can simply infect the router/switch near the server and wait for an IT admin to log-on to the server using RDP.
We recommend you apply the Microsoft patch for CVE-2018-0886, as soon as possible.