CredSSP protocol has been designed to be used by RDP (Remote Desktop Protocol) and Windows Remote Management (WinRM) that takes care of securely forwarding credentials encrypted from the Windows client to the target servers for remote authentication.
Discovered by researchers at Cybersecurity firm Preempt Security, the issue (CVE-2018-0886) is a logical cryptographic flaw in CredSSP that can be exploited by a man-in-the-middle attacker with Wi-Fi or physical access to the network to steal session authentication data and perform a Remote Procedure Call attack.
Cracking the Code: Learn How Cyber Attackers Exploit Human Psychology
Ever wondered why social engineering is so effective? Dive deep into the psychology of cyber attackers in our upcoming webinar.Join Now
When a client and server authenticate over RDP and WinRM connection protocols, a man-in-the-middle attacker can execute remote commands to compromise enterprise networks.
"An attacker which have stolen a session from a user with sufficient privileges could run different commands with local admin privileges. This is especially critical in case of domain controllers, where most Remote Procedure Calls (DCE/RPC) are enabled by default," says Yaron Zinar, lead security researcher for Preempt.
"This could leave enterprises vulnerable to a variety of threats from attackers including lateral movement and infection on critical servers or domain controllers."Since RDP is the most popular application to perform remote logins and almost all enterprise customers are using RDP, it makes most networks vulnerable to this security issue.
To defend yourself and your organizations against the CredSSP exploit, users are recommended to patch their workstations and servers using available updates from the Microsoft.
Though researchers also warned that patching alone is not sufficient to prevent this attack, IT professionals are also required to make some configuration to apply the patch and be protected.
Blocking the relevant application ports including RDP and DCE/RPC would also thwart the attack, but researchers say this attack could even be implemented in different ways, using different protocols.
Therefore, to better protect your network, it is a good idea to decrease the use of privileged account as much as possible and instead use non-privileged accounts whenever applicable.
As part of March 2018 Patch Tuesday, Microsoft has also released security patches for its other products, including Microsoft IE and Edge browser, Windows OS, Microsoft Office, PowerShell, Core ChakraCore, as well as Adobe Flash player.