Windows RDP Login Issues Tied to CVE-2018-0886

Expand / Collapse

Windows RDP Login Issues Tied to CVE-2018-0886

 

Initial Problem

Microsoft issued a patch back in March to mitigate the CredSSP subsystem in Windows for a remote code execution (RCE) flaw listed in CVE-2018-0886 (https://support.microsoft.com/en-us/help/4093492/credssp-updates-for-cve-2018-0886-march-13-2018).  In order to fully mitigate the vulnerability, the patch was required to be deployed to both remote desktop clients and servers.  The March patch was deployed with a Vulnerable state as the default, which allows any remote desktop client to fall back to an insecure version to connect to a server that has not been patched.  This was meant as a temporary measure to allow time for the server and client to both be patched.  Once both have been patched, they can be set to Force Updated Clients, and will be protected from the RCE flaw.

On May 8th, Microsoft issued a patch update (https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0886).This update forced all Windows systems that originally received the patch and all new installations into the mitigated state, creating a problem:patched mitigation state servers would accept unpatched client remote desktop sessions, but patched Mitigation state client remote sessions WOULD NOT fallback to talk to an unpatched server.  Since many organizations patch workstations more aggressively than servers, this may lead loss of access via remote sessions.

 

Workaround

Depending on whether or not your hosted systems are in an Active Directory domain, there are two ways to handle this:

AD Domain Machines:  

  1. Patch a non-domain controller (DC)  server and reboot it.
  2. From the newly patched non-DC server, navigate and copy the files from the following locations:
    1. C:\Windows\PolicyDefinitions\CredSsp.admx
    2. C:\Windows\PolicyDefinitions\en-US\CredSsp.adml
  3. On one of your DCs, navigate to: C:\Windows\SYSVOL\sysvol\<your domain>\Policies\PolicyDefinitions
  4. Rename the current CredSsp.admx to CredSsp.old and copy the new CredSsp.admx from the non-DC server.
  5. On the same DC as steps 3-4, Navigate to C:\Windows\SYSVOL\sysvol\<your domain>\Policies\PolicyDefinitions\en-US
  6. Rename CredSsp.adml to CredSsp.adml.old and copy the new CredSsp.adml from the non-DC server.
  7. Reboot DC
  8. Create or Edit an Existing GPO to modify the policy path: Computer Configuration -> Administrative Templates -> System -> Credentials Delegation -> Encryption Oracle Remediation to the Vulnerable Setting.

From here on, any client or server which gets the patching through normal maintenance or automated updates will now allow RDP sessions to occur, but they will be vulnerable to RCE command injections. 

Non-Domain Machines:

  1. Create a batch file to run the following command on all clients and servers:
    1. REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
  2. Reboot the system.

From here on, any client or server which gets the patching through normal maintenance or automated updates will now allow RDP sessions to occur, but they will be vulnerable to RCE command injections. 

Permanent Fix

Depending on whether or not your hosted systems are in an Active Directory domain, there are two paths to final remediation:

 AD Domain Machines:

  1. Patch all your client remote desktops (see Patches to Deploy by O/S below).
  2. Patch all servers (see Patches to Deploy by O/S below).
  3. Change GPO policy path: Computer Configuration -> Administrative Templates -> System -> Credentials Delegation -> Encryption Oracle Remediation to the Force Updated Clients Setting. 
  4. Reboot all affected machines.

 Non Domain Machines:

  1. Patch all your client remote desktops (see Patches to Deploy by O/S below).
  2. Patch all servers (see Patches to Deploy by O/S below).
  3. Modify your workaround batch file to run the following command:
    1. REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t     REG_DWORD /d 0
  4. Reboot all affected machines.

 Patches to Deploy by O/S

Security Update for Microsoft Windows (KB4103712)

Windows 7 (32 & x64), Windows Server 2008 SP2 and 2008R2 SP1

 

Security Update for Microsoft Windows (KB4103715)

Windows 8.1 (32 & x64), Windows Server 2012R2

 

Security Update for Microsoft Windows (KB4103718)

Windows Server 2008R2 SP1

 

Security Update for Microsoft Windows (KB4103723)

Windows Server 2016

 

Security Update for Microsoft Windows (KB4103725)

Windows Server 2012R2

 

Security Update for Microsoft Windows 10

See https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0886 for individual version links.

 

 

PCI Warning

PCI clients whose servers have not been patched may show up as a fail due to the active CVE.  Customers who fall into this category can accelerate their patch schedule according to their own risk management policies. 


Owner: DataBank Security
Last Reviewed Date: May 16, 2018


Rate this Article:


Details
Category: Vulnerabilities

Last Modified:Wednesday, May 16, 2018 1:41 PM

Type: HOWTO

Level: Advanced

Rated 1 star based on 1 vote

Article has been viewed 360 times.

Options
Email Article Email Article


Social Bookmarks Social Bookmarks