A serious vulnerability found in Microsoft’s Credential Security Support Provider protocol (CredSSP) could allow a hacker to gain control of a domain server and other systems in the network.
CredSSP protocol has been designed to be used by RDP (Remote Desktop Protocol) and Windows Remote Management (WinRM) that takes care of securely forwarding credentials encrypted from the Windows client to the target servers for remote authentication. Any application which depends on CredSSP for authentication may be vulnerable to this type of attack.
As an example of how an attacker would exploit this vulnerability against Remote Desktop Protocol, the attacker would need to run a specially crafted application and perform a man-in-the-middle attack against a Remote Desktop Protocol session. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
What Can You Do?
Microsoft released a patch that according to them, “addresses the vulnerability by correcting how CredSSP validates requests during the authentication process.” It recommends also using Group Policy settings or registry-based settings: “We recommend that administrators apply the policy and set it to ‘Force updated clients’ or ‘Mitigated’ on client and server computers as soon as possible. These changes will require a reboot of the affected systems,” Microsoft said in its update.
To be fully protected against this vulnerability users must enable Group Policy settings on their systems and update their Remote Desktop clients. The Group Policy settings are disabled by default to prevent connectivity problems and users must follow the instructions documented HERE to be fully protected.
BMT is aware of all available patches. If you are a BMT Managed Services client, we will be making necessary updates by installing these patches for you. If you are not, please contact us to learn what you can do to ensure your systems are secure.