Posted on 03/24/2018 5:56:58 PM PDT by dayglored
Black Hat Asia Microsoft will prevent Windows Server from authenticating RDP clients that have not been patched to address a security flaw that can be exploited by miscreants to hijack systems and laterally move across a network.
The bug, CVE-2018-0886, was fixed in March's Patch Tuesday software update, and involves Microsoft's implementation of its Credential Security Support Provider protocol (CredSSP). A miscreant-in-the-middle on a corporate network can abuse the flaw to send arbitrary commands to a server to execute while masquerading as a legit user or admin.
From there, lateral movement through an intranet becomes possible, and that’s just the sort of thing bad actors love. The flaw was discovered by security company Preempt, which explained it the video below.
Microsoft’s documentation for the patch reads: “Mitigation consists of installing the update on all eligible client and server operating systems and then using included Group Policy settings or registry-based equivalents to manage the setting options on the client and server computers.
“We recommend that administrators apply the policy and set it to ‘Force updated clients’ or ‘Mitigated’ on client and server computers as soon as possible.”
The Microsoft advisory also mentions two planned actions to address the vulnerability. On April 17, 2018, an update to Microsoft’s RDP client “will enhance the error message that is presented when an updated client fails to connect to a server that has not been updated." And on May 8, or perhaps later, “an update to change the default setting from vulnerable to mitigated" will arrive.
On Friday March 23rd, Preempt personnel told the Black Hat Asia conference in Singapore that the May patches will cause un-patched RDP clients to be rejected by patched Windows Server boxes, so that the vulnerability can’t be exploited.
It seems sensible to keep a close eye on April and May's Patch Tuesday dump. It's also worth looking for updates from vendors of third-party RDP clients, as they can also fall foul of this vulnerability. ®
Good Hunting... from Varmint Al
RDP was actually developed by Citrix long ago, which is why it works. They called it "MetaFrame". Microsoft licensed a portion of it, crossed out "MetaFrame" and wrote in "Remote Desktop" in crayon.
RDP clients have been supported for a long time, not only in Windows clients, but in Mac (by a Microsoft product), and in Linux as "rdesktop", which is open source and not related to the Microsoft or Citrix codebases.
I remote from my Linux Mint desktop to my Windows server 2008 computer using Remmina RDP client. Do you think I will get locked out of my own computer?
Good lord, I hope not. Presumably, if Server can tell whether a Windows RDP client is patched or not, it can tell that it's not talking with a Microsoft client at all -- Remmina or rdesktop or whatever.
That will be a flaming disaster if it blocks all non-Microsoft clients.
Oy, this could get ugly quickly...
Thanks for investigating. I guess I’ll just leave the server turned off until MS gets their act together. I hope the power supply capacitors don’t dry out while I wait for THAT to happen!
LOL I have an old early-70's Fender Twin Reverb tube amp with the original electrolytics. It doesn't see regular club action any more (I am older and have smaller/lighter amps for that), so I turn it on every few months and warm it up, just to rebuild the dielectric in the caps. Otherwise it may get exciting the -next- time...
Yep, done that too, But my old Variac isn’t as pretty as that one, though — I scrounged it from a rack panel in a MIL surplus store. The windings are all open, so you have to be real careful handling it. But then, you can see how it works :-)
Incidentally, that Variac came in handy in another context. The band was playing for an outdoor rural festival that was powered by gas generators, and the organizers had run looooong power cables to the stage, so we were getting maybe 105VAC lightly loaded, but whenever the bass player hit a power note, the line dropped to around 95VAC, and as a result, our fancy digital signal processing rack gear would reset. I wired up the Variac (of course I carried it with me; ya never know) as a boost autotransformer and the show went on...
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.