Unfortunately, large-scale vulnerabilities are not a rarity. In 2017 we saw several major issues, like the KRACK Wi-Fi vulnerability and the global ransomware attack in May.
Recently, security researchers have discovered a new vulnerability in Microsoft’s Remote Desktop Protocol (RDP). Read on to find out how this exploit works, and how we’re protecting your systems from it.
How Does This Exploit Work?
All modern Professional versions of Windows contains a Remote Desktop feature that allows you to easily connect and log into another machine. You can use this to control another computer over a network, which IT staff often does for remote assistance or to access servers.
Whenever you connect using Remote Desktop, you have to provide credentials to log into the remote machine. A protocol known as Credential Security Support Provider (CredSSP) handles this, securely transferring the sensitive information to protect it from attack.
With this exploit, a malicious entity could use what’s called a man-in-the-middle attack to compromise the remote session. In this type of attack, someone hijacks the communication between two devices who believe they are communicating securely. Thus, they can manipulate the communication between two machines, and in this case use the credentials sent from the first machine to gain access to the second.
The researchers who discovered this exploit note that it hasn’t been used in the wild yet. However, because this affects all modern versions of Windows and so many businesses use RDP, it’s a concerning attack. Someone could use it to access a domain controller and cause a lot of damage to your network.
How We’re Keeping You Safe
Thankfully, our best practices have allowed us to remove this vulnerability from our clients’ environments as soon as possible.
On March 13, Microsoft issued a patch to resolve this vulnerability. Per our regular automatic updates, all client machines will receive this update during our update window. As this is a time-sensitive issue, we have followed up after the patching window and confirmed that it installed correctly on affected machines.
Finally, this exploit relies on the remotely connected user having privileges to take actions on the server. Per our best practices, users have the lowest level of permission that they need to do their work. Thus, there are few administrators that could be used in an attack like this to begin with.
This is a dangerous exploit, but thankfully it hasn’t been used on a wide scale and Microsoft has responded to it almost immediately. Since we’ve installed the patch on your systems and disabled insecure connections, you’re protected from this vulnerability and don’t need to worry.