Microsoft dismisses new Windows RDP ‘bug’ as a feature

Researchers have found an unexpected behavior in a feature designed to protect remote sessions that could allow attackers to take control of them.

The issue, discovered by Joe Tammariello at the CERT Coordination Center (CERT) at Carnegie Mellon’s Software Engineering Institute, is documented as CVE-2019-9510. It stems from Network Level Authentication (NLA), which is a feature that you can use to protect Windows installations that have the Remote Desktop Protocol (RDP) enabled. NLA stops anyone from remotely logging into the Windows computer by requiring them to authenticate first.

Starting with Windows 10 release 1803 in April 2019, and with Windows Server 2019, changed the way NLA works. Now, the authentication mechanism caches the client’s login credentials on the host so that it can quickly log the client in again if it loses connectivity. The change enables an attacker to circumvent a Windows lock screen, warns CERT/CC, which disclosed the issue, in an advisory.

Let’s say you remotely log in to a Windows box using RDP. Then, you lock that remote desktop to stop an attacker from accessing it from your machine while you leave the room.

The attacker could interrupt the network connection between the local machine and the remote Windows box and then reestablish it, by unplugging the network cable and plugging it in again (or disabling and re-enabling Wi-Fi).

That’s where the unexpected behavior kicks in, according to the advisory:

Because of this vulnerability, the reconnected session is restored to a logged-in desktop rather than the login screen. This means that the remote system unlocks without requiring any credentials to be manually entered.

You might also like
Leave A Reply

Your email address will not be published.