Microsoft issued new security guidance on the Credential Security Support Provider protocol (CredSSP) vulnerability CVE-2018-0886 that could allow remote code execution. As part of the updates, Microsoft plans to soon prevent un-patched RDP clients (that uses CredSSP) from authenticating to Windows.
The security advisory for the CredSSP vulnerability was made available on March 13 and stated that an attacker who successfully exploited this vulnerability could relay user credentials and use them to execute code on the target system.
In the March 13 update, Microsoft issued the following CredSSP guidance:
“Mitigation consists of installing the update on all eligible client and server operating systems and then using included Group Policy settings or registry-based equivalents to manage the setting options on the client and server computers. We recommend that administrators apply the policy and set it to ‘Force updated clients’ or ‘Mitigated’ on client and server computers as soon as possible. These changes will require a reboot of the affected systems.”
In the latest updates, Microsoft released the following scheduled updates:
April 17, 2018 (tentative)
“The Remote Desktop Client (RDP) update will enhance the error message that is presented when an updated client fails to connect to a server that has not been updated.”
May 8, 2018 (tentative)
“An update to change the default setting from Vulnerable to Mitigated.”
Security administrators should keep a close eye on upcoming updates to stay on top of the CredSSP patches and permanent fixes.