The Credential Security Support Provider protocol (CredSSP) is an authentication provider that is implemented by using the Security Support Provider Interface (SSPI).
Microsoft found a remote code execution vulnerability in existing CredSSP version and attacker who exploits successfully, could relay user credentials to execute code on the target system and any applications that depends on CredSSP.
For this vulnerability, Microsoft has released CVE-2018-0886 security patches on March 13th, 2018 then updated on May 18th, 2018 and addressing this vulnerability by correcting how CredSSP validate requests during the authentication process. This issue can occur if the user’s and remote machine have a different Encryption Oracle Remediation setting. By default, Encryption Oracle Remediation is not configured. Users must be enable it and defined protection level to protect against this vulnerability on their systems. See the following interoperability matrix for scenarios that are either vulnerable to the exploit or cause operational failures.
|Policy Setting||Unpatched||Force updated clients||Mitigated||Vulnerable|
|Force updated clients||Blocked||Secured||Secured||Secured|
Here are two option to fix this issue:-
Execute gpedit.msc and browse to Computer Configuration / Administrative Templates / System / Credentials Delegation in the left pane:
Change Encryption Oracle Remediation policy to Enabled, and Protection Level to Vulnerable:
1.) Open notepad and paste below lines
Windows Registry Editor Version 5.00
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
2.) save file in desktop with credSSP.reg name.
3.) double click credSSP file which you saved in desktop.
Important Things to know:-
- If CVE-2018-0886 security update have installed on user’s PC and Server PC have not updated, users can’t be able to communicate with unpatched servers.
- If CVE-2018-0886 security update has not been installed on user’s PC only and installed in remote PC, then can be taken RDP but the session will be exposed for attackers
- If CVE-2018-0886 security update have installed on both servers (user’s machine and Server), RDP session will work in a secure way.
You Must Also Read