CredSSP Encryption Oracle Remediation

Last modified: March 26, 2020
You are here:
Estimated reading time: 1 min

CredSSP Encryption Oracle Remediation

Overview

A solution to a Cred SSP vulnerability, the “Remote Code Execution” (CVE-2018-0886) that may affect RDP linkages, was released in the March 2018 Security Newsletter. The exploits observed were found to be vulnerable:

  • Targets receive a malicious RTF Microsoft Office document
  • After opening, the malicious document allows the exploit’s second phase to be downloaded as a malicious code HTML page
  • The malicious code triggers the use-after-free memory-corruption bug
  • Accompanying shellcode then downloads and executes a malicious payload
Symptoms

1.       The VM screenshot shows the OS fully loaded and waiting for the credentials

2.       If you try to RDP the VM either internally or externally, you’ll get the message:

“An authentication error has occurred.”

“This could be due to CredSSP encryption oracle remediation.

For more information, see Microsoft Support

Root Cause Analysis

In May, a monthly Windows update was implemented  to resolve a vulnerability issue in the Credential Security Support Provider (CredSSP) protocol that contains two things:

 

  1. Correct how Credential Security Support Provider protocol (CredSSP) validates requests during the authentication process
  2. Change the group policy Encryption Oracle Remediation default setting from Vulnerable to Mitigated.

If the server or client has distinct expectations when setting up a secure RDP session, it could block the connection.

There is the possibility that the current default setting could change from the tentative update and therefore impact the expected secure session requirement.

Below is the matrix for each possible situation for RDP result:

CredSSP Encryption Oracle Remediation-RDP result
Matrix for each possible situation for RDP result

Examples:

1.       If both client & server are patched with default setting (Mitigated), RDP will work in a secure way.

Resolution/ Fix

Ensure that the recent patch is installed on both client and server sides, so RDP is set up safely.

Alternative Work-arounds

Mitigation 1

In other words, we could consider changing the policy settings of the customer to temporarily acquire RDP access to the servers if you cannot RDP to your patched client to VM.

Then, you can change the settings in Local Group Policy Editor. Next, Execute gpedit.msc and browse to Computer Configuration / Administrative Templates / System / Credentials Delegation in the left panel:

credSSP-change Local Group Ploicy Editor
Change Local Group Policy Editor

 

After that, Change the Encryption Oracle Remediation policy to Enabled, and Protection Level to Vulnerable:

credSSP-change Encryption Oracle Remediation
Change Encryption Oracle Remediation

Was this article helpful?
Dislike 0
Views: 299