CredSSP Encryption Oracle Remediation

Last modified: April 11, 2020
You are here:
Estimated reading time: 1 min

A solution to a Cred SSP vulnerability, the “Remote Code Execution” (CVE-2018-0886) that may affect RDP linkages, was released in the March 2018 Security Newsletter. The exploits observed were found to be vulnerable:

  • Targets receive a malicious RTF Microsoft Office document.
  • After opening, the malicious document allows the exploit’s second phase to be downloaded as a malicious code HTML page.
  • The malicious code triggers the use-after-free memory-corruption bug.
  • Accompanying shellcode then downloads and executes a malicious payload.

1.       The VM screenshot shows the OS fully loaded and waiting for the credentials.

2.       If you try to RDP the VM either internally or externally, you’ll get the message:

“An authentication error has occurred.”

“This could be due to CredSSP encryption oracle remediation.

For more information, see

Root Cause Analysis

In May, a monthly Windows update was implement to resolve a vulnerability issue in the Credential Security Support Provider (CredSSP) protocol that contains two things:

1.       Correct how Credential Security Support Provider protocol (CredSSP) validates requests during the authentication process

2.       Change the group policy Encryption Oracle Remediation default setting from Vulnerable to Mitigated.

If the server or client has distinct expectations when setting up a secure RDP session, it could block the connection.

There is the possibility that the current default setting could change from the tentative update. Therefore it will impact the expected secure session requirement.

Below is the matrix for each possible situation for RDP result:

credSSP-RDP result
RDP result



1.       If both client & server are patched with default setting (Mitigated), RDP will work in a secure way.

Resolution/ Fix

Then ,ensure that the recent patch is install on both client and server sides. So RDP will set up safely.

Alternative Work-arounds

Mitigation 1

In other words, we could consider changing the policy settings of the customer to temporarily acquire RDP access to the servers. That is if you cannot RDP to your patched client to VM.

Then, you can change the settings in Local Group Policy Editor. Next, execute gpedit.msc and browse to Computer Configuration / Administrative Templates / System / Credentials Delegation in the left panel:

credSSP-change Local Group Ploicy Editor
Change Local Group Ploicy Editor


Then, change the Encryption Oracle Remediation policy to Enabled, and Protection Level to Vulnerable:

credSSP-change Encryption Oracle Remediation
Change Encryption Oracle Remediation


Was this article helpful?
Dislike 0
Views: 39
Customer Services Contact

Need Help? Send a Ticket to our 24X7 Technical Support Team

Subscribe Newsletter

Subscribe to Casbay Newsletter for online tips, events and latest promotion !

Copyright © 2010 – 2020 Casbay Sdn. Bhd. (1042688-D). All Rights Reserved.

All Trademarks Are The Property of Their Respective Owner.