Critical vulnerability found in Windows Remote Desktop Protocol
Researchers at threat prevention specialist Preempt have discovered a flaw in Credential Security Support Provider protocol (CredSSP), which is used by Remote Desktop and WinRM in their authentication processes.
An attacker with man-in-the-middle control over the session could use this to gain the ability to remotely run code on the compromised server masquerading as a legitimate user.
With remote desktop a popular application to perform remote logins, this vulnerability presents a major concern. This could leave enterprises vulnerable to a variety of threats from attackers including lateral movement and infection on critical servers or domain controllers. The vulnerability affects all Windows versions dating back to Vista.
"This vulnerability is a big deal, and while no attacks have been detected in the wild, there are a few real-world situations where attacks can occur," says Roman Blachman, CTO and co-founder at Preempt. "Ensuring that your workstations are patched is the logical, first step to preventing this threat. It's important for organizations to use real-time threat response solutions to mitigate these types of threats."
In order to protect themselves businesses are advised to make sure that workstations and servers are properly patched. IT professionals will also need to make a configuration change to apply the patch and be protected. Blocking the relevant application ports (RDP, DCE/RPC) would also thwart attack. However, Preempt warns this attack could be implemented in different ways, even using different protocols. It's therefore a good idea to reduce privileged account usage as much as possible and use non-privileged accounts whenever applicable.
More details of the vulnerability can be found on the Preempt blog.