No update installed? No connection.
Microsoft will prevent Windows Server from authenticating RDP clients that have not been patched to address a security flaw that can be exploited by miscreants to hijack systems and laterally move across a network.
The bug, CVE-2018-0886, was fixed in March’s Patch Tuesday software update, and involves Microsoft’s implementation of its Credential Security Support Provider protocol (CredSSP). A miscreant-in-the-middle on a corporate network can abuse the flaw to send arbitrary commands to a server to execute while masquerading as a legit user or admin.
From there, lateral movement through an intranet becomes possible, and that’s just the sort of thing bad actors love. The flaw was discovered by security company Preempt, which explained it the video below.
Microsoft’s documentation for the patch reads: “Mitigation consists of installing the update on all eligible client and server operating systems and then using included Group Policy settings or registry-based equivalents to manage the setting options on the client and server computers.
“We recommend that administrators apply the policy and set it to ‘Force updated clients’ or ‘Mitigated’ on client and server computers as soon as possible.”
The Microsoft advisory also mentions two planned actions to address the vulnerability. On April 17, 2018, an update to Microsoft’s RDP client “will enhance the error message that is presented when an updated client fails to connect to a server that has not been updated.” And on May 8, or perhaps later, “an update to change the default setting from vulnerable to mitigated” will arrive.
On Friday March 23rd, Preempt personnel told the Black Hat Asia conference in Singapore that the May patches will cause un-patched RDP clients to be rejected by patched Windows Server boxes, so that the vulnerability can’t be exploited.
It seems sensible to keep a close eye on April and May’s Patch Tuesday dump. It’s also worth looking for updates from vendors of third-party RDP clients, as they can also fall foul of this vulnerability.