Patch/Configuration Management, Vulnerability Management

Patch Tuesday: Microsoft patches Remote Desktop Protocol exploit

This month's Microsoft patch Tuesday included more than 70 patches 15 of which were marked as critical and one that could exploit authentication in Microsoft Remote Desktop Protocol.

Microsoft released updates for products including, ASP.NET Core, .NET Core, PowerShell Core, ChakraCore, Microsoft Office, Microsoft Office Services, Web Apps, Internet Explorer, Microsoft Edge, Microsoft Windows, and  Microsoft Exchange Server.

One of the most significant patches was a vulnerability in Microsoft's Credential Security Support Provider protocol (CredSSP) which could allow a hacker to gain control of a domain server and other systems in the network. 

The vulnerability affects all Windows versions to date (starting with Windows Vista) and Preempt researchers found that an attacker could exploit the flaw in a man-in-the-middle attack that would allow them to abuse the protocol and remotely run code on the compromised server on behalf of a user.

"This vulnerability is a big deal, and while no attacks have been detected in the wild, there are a few real-world situations where attacks can occur," said Roman Blachman, CTO and co-founder at Preempt in a March 13 press release. "Ensuring that your workstations are patched is the logical, first step to preventing this threat."  

Nathan Wenzler, chief security strategist at AsTech called the vulnerability an example of how dangerous it can be to rely on security or administration tools without locking them down with hardened configurations.

“RDP is a widely used tool, but, as this exploit shows, a Man-in-the-Middle attack makes the use of this tool especially dangerous if the user is logging in with an administrator credential of any sort,” Wenzler said. “Of course, Microsoft has an obligation to ensure the vulnerability is fixed, which they're doing, but it's imperative that admins and security practitioners are doing more to reduce the amount of privileged access their administrators possess, that tools such as RDP are disabled if they're not being used, and doing whatever else they can to limit the amount of administrator-level exposure that an attacker might be able to compromise anywhere along the chain and then use to wreak havoc on the rest of the network.”

Wenzler added that its organizations need to make system hardening and secure configuration a requirement for their systems and network administration staff, instead of merely relying on patches and hotfixes to keep their environment secure.

Other researchers noted the requirements of the attack mean that an organization may have greater issues if an attacker is able to exploit the flaw. Chris Morales, head of security analytics at Vectra said if an attacker is already that deep in the network, there are many other things they could do such as scope out a network, find authentication accounts or compromise a server.

“I would classify this activity as a form of internal reconnaissance activity and just one more technique of many an attacker might leverage,” Morales said. “As long as a company is properly monitoring their internal environment for attacker behaviors, and can correlate this type of behavior with other attacker behaviors, they should have sufficient visibility to detect and respond to this type of reconnaissance behavior.” 

Microsoft also pathed a remote code execution flaw in Windows Shell that requires the user to download and open a malicious file in order to exploit it along with Meltdown and Spectre patches covering 32-bit versions of Windows 7 and 8.1, as well as Server 2008 and 2012.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.