The March 2018 Patch Tuesday contains a fix for a severe vulnerability affecting the CredSSP protocol; a vulnerability that affects all Windows versions ever released.
Security researchers from Preempt say the flaw (CVE-2018-0886) can be abused to run remote commands on gain control over Windows domain controllers, and then expand access to other systems. The research team describes the vulnerability as a "logic" bug in CredSSP.
The Credential Security Support Provider (CredSSP) protocol is a Windows-specific mechanism that is responsible for securely forwarding authentication credentials between a client and a remote server in an internal network/domain.
CredSSP is a core component of the Remote Desktop Protocol (RDP) and the Windows Remote Management (WinRM) service, both of which are vulnerable to exploitation.
According to a video and a report shared with Bleeping Computer before publication, an attacker can exploit the CredSSP vulnerability to execute remote commands when users are trying to authenticate during RDP or WinRM sessions.
Because of the nature of this flaw, the attacker needs to have a man-in-the-middle (MitM) position to intercept the victim's traffic. This either means the attacker must have a foothold on an internal network, or control an ISP-level server that relays the victim's RDP session.
But while a MitM condition was a problem for attackers in the past, compromising internal networks to get a local foothold for MitM attacks has become quite easy in recent years due to the proliferation of IoT devices that often remain unpatched, leaving gaping holes in companies' defenses.
IoT devices, KRACK, and ARP poisoning help attackers with MitM attacks and make this vulnerability a viable method of escalating an intruder's local access and gaining a more firm foothold on compromised networks by taking over the local domain controllers.
"There will be a time window when this can be possibly exploited on a large number of machines, but this method matches mostly targeting attacks due to the requirement for MiTM techniques," the Preempt team told Bleeping Computer today in an email.
The team highlights that a high-degree of technical knowledge is needed to exploit this flaw, knowledge that only a few attackers possess.
Researchers, who told us they discovered the flaw while analyzing and researching the authentication for Microsoft's Remote Desktop Protocol, recommend that victims apply this month's Patch Tuesday security updates to prevent any future attempts of exploitation.
The article will be updated with links to Preempt's in-depth technical report at a later time, after it becomes publicly available. Update: The Preempt team has published a technical report here.