{"id":25881,"date":"2020-12-21T02:40:59","date_gmt":"2020-12-20T18:40:59","guid":{"rendered":"https:\/\/web.mwwsb.com.my\/pjci\/?post_type=kb&#038;p=25881"},"modified":"2022-09-08T21:38:48","modified_gmt":"2022-09-08T13:38:48","slug":"unable-to-rdp-credssp-encryption-oracle-remediation","status":"publish","type":"kb","link":"https:\/\/www.casbay.com\/guide\/kb\/unable-to-rdp-credssp-encryption-oracle-remediation","title":{"rendered":"CredSSP Encryption Oracle Remediation"},"content":{"rendered":"\t\t<div data-elementor-type=\"wp-post\" data-elementor-id=\"25881\" class=\"elementor elementor-25881\" data-elementor-post-type=\"kb\">\n\t\t\t\t\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-e5881e8 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"e5881e8\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-e053a45\" data-id=\"e053a45\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t\t\t<div class=\"elementor-element elementor-element-58c66b8 elementor-widget elementor-widget-heading\" data-id=\"58c66b8\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">CredSSP Encryption Oracle Remediation<\/h2>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-73207fe elementor-widget elementor-widget-heading\" data-id=\"73207fe\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t<h2 class=\"elementor-heading-title elementor-size-medium\">Overview<\/h2>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-69cdb74 elementor-widget elementor-widget-text-editor\" data-id=\"69cdb74\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<p>There is a solution to a CredSSP vulnerability, the \u201cRemote Code Execution\u201d (CVE-2018-0886). However, it may affect RDP linkages. The linkage was released in the March 2018 Security Newsletter. The exploits that we observed were vulnerable:<\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-6172989 elementor-widget elementor-widget-text-editor\" data-id=\"6172989\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<ul><li>Targets receive a malicious RTF Microsoft Office document.<\/li><li>After opening, the malicious document allows the exploit\u2019s second phase to be downloaded as a malicious code HTML page.<\/li><li>The malicious code triggers the use-after-free memory-corruption bug<br \/>Accompanying shellcode. Then, it downloads and executes a malicious payload.<\/li><\/ul>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-b108d5c elementor-widget elementor-widget-heading\" data-id=\"b108d5c\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t<h2 class=\"elementor-heading-title elementor-size-medium\">Symptoms<\/h2>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-723046c elementor-widget elementor-widget-text-editor\" data-id=\"723046c\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<p>1. The VM screenshot shows the OS fully loaded and waiting for the credentials<\/p><p>2. If you try to RDP the VM either internally or externally, you\u2019ll get the message:<\/p><p>\u201cAn authentication error has occurred.\u201d<\/p><p>\u201cThis could be due to CredSSP encryption oracle remediation.&#8221;<\/p><p>For more information, see\u00a0<a href=\"https:\/\/go.microsoft.com\/fwlink\/?linkid=866660\" rel=\"noopener\">Microsoft Support<\/a>.<\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-dbb57a6 elementor-widget elementor-widget-heading\" data-id=\"dbb57a6\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t<h2 class=\"elementor-heading-title elementor-size-medium\">Root Cause Analysis<\/h2>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-33bc2f9 elementor-widget elementor-widget-text-editor\" data-id=\"33bc2f9\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<p>In May, a monthly Windows update resolved a vulnerability issue in the Credential Security Support Provider (CredSSP) protocol. It contains two things:<\/p><ol><li><em>Correct how Credential Security Support Provider protocol (CredSSP) validates requests during the authentication process<\/em><\/li><li><em>Change the group policy Encryption Oracle Remediation default setting from Vulnerable to Mitigated.<\/em><\/li><\/ol><p>If the server or client has distinct expectations when setting up a secure RDP session, it could block the connection.<\/p><p>Moreover, there is the possibility that the current default setting could change from the tentative update. Therefore, it impacts the secure session requirement.<\/p><p>Below is the matrix for each possible situation for RDP result:<\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-3529efe elementor-widget elementor-widget-image\" data-id=\"3529efe\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/casbay.com\/guide\/wp-content\/uploads\/2021\/02\/rdpissue.png\" title=\"\" alt=\"\" loading=\"lazy\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-2b03910 elementor-widget elementor-widget-text-editor\" data-id=\"2b03910\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<figure class=\"wp-caption alignnone\"><figcaption class=\"wp-caption-text\">Matrix for each possible situation for RDP result<\/figcaption><\/figure>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-1f26297 elementor-widget elementor-widget-heading\" data-id=\"1f26297\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t<h2 class=\"elementor-heading-title elementor-size-medium\">Examples:<\/h2>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-59228cd elementor-widget elementor-widget-text-editor\" data-id=\"59228cd\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<p>If both client &amp; server come with a default setting (Mitigated), RDP will work in a secure way.<\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-a0793d9 elementor-widget elementor-widget-heading\" data-id=\"a0793d9\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t<h2 class=\"elementor-heading-title elementor-size-medium\">Resolution\/ Fix<\/h2>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-6aa58e1 elementor-widget elementor-widget-text-editor\" data-id=\"6aa58e1\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<p>Be sure to install the recent patch on both client and server sides, so RDP is set up safely.<\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-0cbd96a elementor-widget elementor-widget-heading\" data-id=\"0cbd96a\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t<h2 class=\"elementor-heading-title elementor-size-medium\">Alternative Workarounds<\/h2>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-724ac03 elementor-widget elementor-widget-heading\" data-id=\"724ac03\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t<h2 class=\"elementor-heading-title elementor-size-medium\">Mitigation 1<\/h2>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-ac46fb9 elementor-widget elementor-widget-text-editor\" data-id=\"ac46fb9\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<p>In other words, we could consider changing the policy settings\u00a0<strong>of the customer<\/strong>\u00a0to temporarily acquire RDP access to the servers if you cannot RDP to your patched client to VM.<\/p><p>Then, you can change the settings in the Local Group Policy Editor. Next, Execute <strong>gpedit.msc<\/strong>\u00a0and browse to\u00a0<strong>Computer Configuration \/ Administrative Templates \/ System \/ Credentials Delegation<\/strong>\u00a0in the left panel:<\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-b63c15f elementor-widget elementor-widget-image\" data-id=\"b63c15f\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/casbay.com\/guide\/wp-content\/uploads\/2021\/02\/credSSP-change-Local-Group-Ploicy-Editor.png\" title=\"\" alt=\"\" loading=\"lazy\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-aee91c4 elementor-widget elementor-widget-text-editor\" data-id=\"aee91c4\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<figure id=\"attachment_5858\" class=\"wp-caption alignnone\" aria-describedby=\"caption-attachment-5858\"><figcaption id=\"caption-attachment-5858\" class=\"wp-caption-text\">Change Local Group Policy Editor<\/figcaption><\/figure>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-58ba260 elementor-widget elementor-widget-text-editor\" data-id=\"58ba260\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<p>In other words, we could consider changing the policy settings\u00a0<strong>of the customer<\/strong>\u00a0to temporarily acquire RDP access to the servers if you cannot RDP to your patched client to VM.<\/p><p>Then, you can change the settings in the Local Group Policy Editor. Next, Execute <strong>gpedit.msc<\/strong>\u00a0and browse to\u00a0<strong>Computer Configuration \/ Administrative Templates \/ System \/ Credentials Delegation<\/strong>\u00a0in the left panel:<\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-e7494ec elementor-widget elementor-widget-image\" data-id=\"e7494ec\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/casbay.com\/guide\/wp-content\/uploads\/2021\/02\/credSSP-change-Encryption-Oracle-Remediation.png\" title=\"\" alt=\"\" loading=\"lazy\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-fb16e2d elementor-widget elementor-widget-text-editor\" data-id=\"fb16e2d\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<figure id=\"attachment_5857\" class=\"wp-caption alignnone\" aria-describedby=\"caption-attachment-5857\"><figcaption id=\"caption-attachment-5857\" class=\"wp-caption-text\">Change Encryption Oracle Remediation<\/figcaption><\/figure>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>CredSSP Encryption Oracle Remediation Overview There is a solution to a CredSSP vulnerability, the \u201cRemote Code Execution\u201d (CVE-2018-0886). However, it may affect RDP linkages. The linkage was released in the March 2018 Security Newsletter. The exploits that we observed were vulnerable: Targets receive a malicious RTF Microsoft Office document. After opening, the malicious document allows [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"site-sidebar-layout":"no-sidebar","site-content-layout":"page-builder","ast-site-content-layout":"","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"disabled","ast-breadcrumbs-content":"","ast-featured-img":"disabled","footer-sml-layout":"","theme-transparent-header-meta":"default","adv-header-id-meta":"","stick-header-meta":"default","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-gradient":""}}},"kbtopic":[60],"kbtag":[106],"mkb_version":[],"_links":{"self":[{"href":"https:\/\/www.casbay.com\/guide\/wp-json\/wp\/v2\/kb\/25881"}],"collection":[{"href":"https:\/\/www.casbay.com\/guide\/wp-json\/wp\/v2\/kb"}],"about":[{"href":"https:\/\/www.casbay.com\/guide\/wp-json\/wp\/v2\/types\/kb"}],"author":[{"embeddable":true,"href":"https:\/\/www.casbay.com\/guide\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.casbay.com\/guide\/wp-json\/wp\/v2\/comments?post=25881"}],"version-history":[{"count":16,"href":"https:\/\/www.casbay.com\/guide\/wp-json\/wp\/v2\/kb\/25881\/revisions"}],"predecessor-version":[{"id":37080,"href":"https:\/\/www.casbay.com\/guide\/wp-json\/wp\/v2\/kb\/25881\/revisions\/37080"}],"wp:attachment":[{"href":"https:\/\/www.casbay.com\/guide\/wp-json\/wp\/v2\/media?parent=25881"}],"wp:term":[{"taxonomy":"kbtopic","embeddable":true,"href":"https:\/\/www.casbay.com\/guide\/wp-json\/wp\/v2\/kbtopic?post=25881"},{"taxonomy":"kbtag","embeddable":true,"href":"https:\/\/www.casbay.com\/guide\/wp-json\/wp\/v2\/kbtag?post=25881"},{"taxonomy":"mkb_version","embeddable":true,"href":"https:\/\/www.casbay.com\/guide\/wp-json\/wp\/v2\/mkb_version?post=25881"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}