CVE-2018-0886 – CredSSP Encryption Oracle Remediation

The Credential Security Support Provider protocol (CredSSP) is an authentication provider that is implemented by using the Security Support Provider Interface (SSPI).

Microsoft found a remote code execution vulnerability in existing CredSSP version and attacker who exploits successfully, could relay user credentials to execute code on the target system and any applications that depends on CredSSP.

RDP-authentication-failed

For this vulnerability, Microsoft has released CVE-2018-0886 security patches on March 13th, 2018 then updated on May 18th, 2018 and addressing this vulnerability by correcting how CredSSP validate requests during the authentication process. This issue can occur if the user’s and remote machine have a different Encryption Oracle Remediation setting. By default, Encryption Oracle Remediation is not configured. Users must be enable it and defined protection level to protect against this vulnerability on their systems. See the following interoperability matrix for scenarios that are either vulnerable to the exploit or cause operational failures.

Server
Policy Setting Unpatched Force updated clients Mitigated Vulnerable
Client Unpatched Vulnerable Blocked Vulnerable Vulnerable
Force updated clients Blocked Secured Secured Secured
Mitigated Blocked Secured Secured Secured
Vulnerable Vulnerable Secured Secured Vulnerable

Here are two option to fix this issue:-

Option 1

Execute gpedit.msc and browse to Computer Configuration / Administrative Templates / System / Credentials Delegation in the left pane:Computer Configuration

Change Encryption Oracle Remediation policy to Enabled, and Protection Level to Vulnerable:Encryption Oracle Remediation

Option 2

1.) Open notepad and paste below lines

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters]

“AllowEncryptionOracle”=dword:00000002

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2

2.) save file in desktop with credSSP.reg name.

3.) double click credSSP file which you saved in desktop.

Important Things to know:-

  • If CVE-2018-0886 security update have installed on user’s PC and Server PC have not updated, users can’t be able to communicate with unpatched servers.
  • If CVE-2018-0886 security update has not been installed on user’s PC only and installed in remote PC, then can be taken RDP but the session will be exposed for attackers
  • If CVE-2018-0886 security update have installed on both servers (user’s machine and Server), RDP session will work in a secure way.

Ref: https://support.microsoft.com/en-us/help/4093492/credssp-updates-for-cve-2018-0886-march-13-2018

You Must Also Read

Secure Your Server Through Windows Firewall

1 thought on “CVE-2018-0886 – CredSSP Encryption Oracle Remediation

  1. Thanks for your information. This is very valuable information for me. I was trying to fix this issue from 1 week. Now issue has been resolved.

    Thank You

Leave a Reply

Your email address will not be published. Required fields are marked *