The issue was discovered by researchers at security company Preempt who disclosed their findings to Microsoft last August. The company has been working since then to mitigate the flaw and develop a fix for customers. The vulnerability, identified as CVE-2018-0886, concerns a logical problem in Microsoft’s Credential Security Support Provider protocol (CredSSP).
CredSSP is responsible for providing login credentials to Windows Remote Desktop sessions. Preempt discovered that attackers could use the vulnerability to remotely execute code on target networks. The flaw could be exploited to move laterally through the network and hijack connected devices, including the network domain controller itself. Malware could then be delivered to achieve persistence or monitor network activity.
The bug is so serious because of the control it allows attackers to obtain. It also has a massive potential reach as it affects every supported version of Windows. While it’s unclear how many networks are impacted, Preempt noted that Remote Desktop Protocol is the most popular way to remotely login to systems. The company’s own research found “almost all” enterprise customers use the protocol.
READ NEXT: Microsoft unblocks Windows 10 Meltdown and Spectre updates
Preempt described the vulnerability as a “critical” issue but it has been designated “important” by Microsoft. This is because it can’t be directly exploited by attackers outside the network. An intruder would first need to employ a man-in-the-middle attack in order to utilise the CredSSP flaw.
“The vulnerability can be exploited by attackers by employing a man-in-the-middle attack to achieve the ability to run code remotely on previously not infected machines in the attacked network,” said Preempt. “The vulnerability, in many real-world scenarios where victim network has vulnerable network equipment, could result in an attacker gaining the ability to move laterally in the victim’s network and even infect domain controller with malicious software.”
Microsoft has taken over six months to patch the issue since it was first notified by Preempt. This month’s Patch Tuesday updates, released to Windows users earlier this week, include a preliminary fix that mitigates the vulnerability. The release includes a total of 75 patches for security bugs in Windows products.
Preempt said the flaw is not known to have been exploited in the wild. However, the public disclosure means attackers may now be devising ways in which to utilise the vulnerability. Enterprise networks should apply Microsoft’s patch as soon as possible to gain protection.
