Dangerous CredSSP Vulnerability opens door into corporate servers
A critical vulnerability in the Credential Security Support Provider protocol (CredSSP), introduced in Windows Vista and used in all Windows versions since then, can be exploited by MitM attackers to run code remotely on previously uninfected machines and servers in the attacked network
In March Patch Tuesday, Microsoft released a patch for CVE-2018-0886, a vulnerability discovered by Preempt researchers. The vulnerability consists of a logical flaw in Credential Security Support Provider protocol (CredSSP) which is used by RDP (Remote Desktop Protocol) and Windows Remote Management (WinRM) that takes care of securely forwarding credentials to target servers. The vulnerability can be exploited by attackers by employing a man-in-the-middle attack to achieve the ability to run code remotely on previously not infected machines in the attacked network. The vulnerability, in many real-world scenarios where victim network has vulnerable network equipment, could result in an attacker gaining the ability to move laterally in the victim’s network and even infect domain controller with malicious software.
The vulnerability is a logical one and affects all Windows versions to date. In terms of the vastness of this issue, we can note that RDP is the most popular application to perform remote logins. To further highlight this, in Preempt internal research we found that almost all enterprise customers are using RDP, making them vulnerable to this issue.
CredSSP Vulnerability Video
When a client and server authenticate over RDP and WinRM connection protocols, a man-in-the-middle attacker can execute remote commands to compromise enterprise networks.
"An attacker which have stolen a session from a user with sufficient privileges could run different commands with local admin privileges. This is especially critical in case of domain controllers, where most Remote Procedure Calls (DCE/RPC) are enabled by default," says Yaron Zinar, lead security researcher for Preempt.
"This could leave enterprises vulnerable to a variety of threats from attackers including lateral movement and infection on critical servers or domain controllers."Since RDP is the most popular application to perform remote logins and almost all enterprise customers are using RDP, it makes most networks vulnerable to this security issue.
0 comments:
Post a Comment