A solution to a Cred SSP vulnerability, the “Remote Code Execution” (CVE-2018-0886) that may affect RDP linkages, was released in the March 2018 Security Newsletter. The exploits observed were found to be vulnerable:
- Targets receive a malicious RTF Microsoft Office document.
- After opening, the malicious document allows the exploit’s second phase to be downloaded as a malicious code HTML page.
- The malicious code triggers the use-after-free memory-corruption bug.
- Accompanying shellcode then downloads and executes a malicious payload.
1. The VM screenshot shows the OS fully loaded and waiting for the credentials.
2. If you try to RDP the VM either internally or externally, you’ll get the message:
“An authentication error has occurred.”
“This could be due to CredSSP encryption oracle remediation.
For more information, see ”
Root Cause Analysis
In May, a monthly Windows update was implement to resolve a vulnerability issue in the Credential Security Support Provider (CredSSP) protocol that contains two things:
1. Correct how Credential Security Support Provider protocol (CredSSP) validates requests during the authentication process
2. Change the group policy Encryption Oracle Remediation default setting from Vulnerable to Mitigated.
If the server or client has distinct expectations when setting up a secure RDP session, it could block the connection.
There is the possibility that the current default setting could change from the tentative update. Therefore it will impact the expected secure session requirement.
Below is the matrix for each possible situation for RDP result:
1. If both client & server are patched with default setting (Mitigated), RDP will work in a secure way.
Then ,ensure that the recent patch is install on both client and server sides. So RDP will set up safely.
In other words, we could consider changing the policy settings of the customer to temporarily acquire RDP access to the servers. That is if you cannot RDP to your patched client to VM.
Then, you can change the settings in Local Group Policy Editor. Next, execute gpedit.msc and browse to Computer Configuration / Administrative Templates / System / Credentials Delegation in the left panel:
Then, change the Encryption Oracle Remediation policy to Enabled, and Protection Level to Vulnerable: