James Steidl - Fotolia

Microsoft CredSSP: How was it exploited by CVE-2018-0886?

The CVE-2018-0886 vulnerability found within Microsoft's CredSSP was recently patched. Discover what this vulnerability is and how it affects the CredSSP protocol with Judith Myerson.

Microsoft recently patched a remote code execution vulnerability -- CVE-2018-0886 -- in their Credential Security Support Provider protocol. What is CredSSP used for? What is the vulnerability and how does it operate?

Credential Security Support Provider (CredSSP) is used by the Remote Desktop Protocol (RDP) to pass user credentials from a client or a local desktop to a server to be authenticated.

The CredSSP protocol uses the Transport Layer Security protocol to establish an encrypted channel between the client and the target server. While server authentication verifies the user connecting from their local desktop to a remote computer, the user's system security policy determines how strong the verification should be -- a user working remotely from a laptop can configure their settings to connect through an RDP gateway server.

The CVE-2018-0886 vulnerability is caused by the way CredSSP processes authentication requests. If the user credentials are transferred from a local computer to a compromised remote computer, the attacker has a better chance of taking over the remote operation; all applications that depend on CredSSP are at risk. The vulnerable products include Windows 7, Windows 8.1, Windows 10, Windows Server 2008, Windows Server 2012 and Windows Server 2016.

The CredSSP vulnerability allows a man-in-the-middle attack to be set up to steal session authentication credentials granted by a CredSSP session. When the session becomes available, the stolen authentication credentials can be used to enable a remote code execution attack on the server the user is attempting to connect to.

An attacker could then execute commands on the victim system to install programs, delete data or create new accounts. An infected server could share malicious text and audio files with the victim's client machine and the attacker could shut down an authentication failure warning message set up by the victim. Furthermore, data from a desktop application running on a remote server could be sent to a printer attached to the attacker's client machine and the connected printer would stay silent.

Microsoft has not identified any mitigations or workarounds for this vulnerability, though it has been patched in Microsoft's May 2018 security update.

Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)

Dig Deeper on Application and platform security

Enterprise Desktop
Cloud Computing