SUBSCRIBE TO TMCnet
TMCnet - World's Largest Communications and Technology Community

TMC NEWS

TMCNET eNEWSLETTER SIGNUP

Preempt Researchers Find Critical Vulnerability that Exploits Authentication in Microsoft Remote Desktop Protocol (MS-RDP)
[March 13, 2018]

Preempt Researchers Find Critical Vulnerability that Exploits Authentication in Microsoft Remote Desktop Protocol (MS-RDP)


SAN FRANCISCO, March 13, 2018 /PRNewswire/ -- Preempt, a leader in adaptive threat prevention that helps enterprises eliminate insider threats and security breaches, today announced its research team found a critical Microsoft vulnerability that consists of a logical flaw in Credential Security Support Provider protocol (CredSSP), which is used by Remote Desktop and WinRM in the authentication process. CredSSP is responsible for taking care of securely forwarding credentials to the target server. Researchers found that an attacker with man-in-the-middle control over the session can abuse it to achieve the ability to remotely run code on the compromised server on behalf of a user.

Preempt Security Logo (PRNewsfoto/Preempt)

With remote desktops being the most popular application to perform remote logins, this vulnerability poses extreme concern. This could leave enterprises vulnerable to a variety of threats from attackers including lateral movement and infection on critical servers or domain controllers. The vulnerability affects all Windows versions to date (starting with Windows Vista).

"This vulnerability is a big deal, and while no attacks have been detected in the wild, there are a few real-world situations where attacks can occur," said Roman Blachman, CTO and co-founder at Preempt. "Ensuring that your workstations are patched is the logical, first step to preventing this threat. It's important for organizations to use real-time threat response solutions to mitigate these types of threats."  

With this vulnerability, organizations are susceptible to having an attack mounted with simple Wi-Fi or physical access. If an attacker has access, they can launch a man-in-the-iddle attack. Other ways like Address Resolution Protocol (ARP) poisoning and attacking sensitive servers through vulnerable routers and switches will enable the attack.



Organizations can protect themselves from this vulnerability in a few ways:

  • Preempt customers have been protected from this flaw by providing in-depth defense with both alerting and real-time prevention when vulnerabilities, such as CredSSP flaw, are exploited in the network.
  • Make sure that workstations and servers are properly patched. This is a basic requirement. However, it is important to note that patching alone is not enough as IT professionals will also need to make a configuration change to apply the patch and be protected.
  • As with many previous exploits, blocking the relevant application ports (RDP, DCE/RPC) would also thwart attack. However, that this attack could be implemented in different ways, even using different protocols.
  • Reduce privileged account usage as much as possible and use non-privileged accounts whenever applicable
  • For more details on how organizations can protect themselves, read this blog: Security Advisory: Critical Vulnerability in CredSSP Allows Remote Code Execution on Servers (CVE-2018-0886)

As of March 13, 2018, Microsoft has issued a CVE-2018-0886 patch per Preempt's responsible disclosure of the CredSSP vulnerability. 


Additional Resources

About Preempt
Preempt protects organizations by eliminating insider threats and security breaches. Threats are not black or white and the Preempt Platform is the only solution that delivers adaptive threat prevention that continuously preempts threats based on identity, behavior and risk. This ensures that both security threats and risky employee activities are responded to with the right level of security at the right time. The platform easily scales to provide comprehensive identity based protection across organizations of any size. The company is headquartered in San Francisco, CA. Learn more about us at www.preempt.com.

For further information, please contact:
Jacqueline Velasco
Lumina Communications for Preempt
T: 408-680-0564
E: preempt@luminapr.com

 

Cision View original content with multimedia:http://www.prnewswire.com/news-releases/preempt-researchers-find-critical-vulnerability-that-exploits-authentication-in-microsoft-remote-desktop-protocol-ms-rdp-300613019.html

SOURCE Preempt


[ Back To TMCnet.com's Homepage ]







Technology Marketing Corporation

35 Nutmeg Drive Suite 340, Trumbull, Connecticut 06611 USA
Ph: 800-243-6002, 203-852-6800
Fx: 203-866-3326

General comments: tmc@tmcnet.com.
Comments about this site: webmaster@tmcnet.com.

STAY CURRENT YOUR WAY

© 2018 Technology Marketing Corporation. All rights reserved | Privacy Policy