Business

News

 
More...

Alerts

 
More...

Events

 
More...
 
     
 

Remote Desktop Zero-Day Vulnerability

 

Systems Affected


Latest Windows systems where remote desktop sessions use network level authentication

Threat Level


High


Overview


An attacker could hijack existing remote desktop service sessions in order to gain access to a computer.(CVE-2019-9510)


Description


Advisory today from CERT|CC at the Carnegie Mellon University software engineering institute warns that session locking can behave in an unexpected way on the latest Windows systems where remote desktop sessions use NLA.
Even if a user specifically locks a windows machine during a RDP session, if the session temporarily disconnected, automatic re-connection restores the session to an unlock state regardless of how remote desktop system was left.
Since the NLA is enabled, attacker requires physical access to such a targeted system (ex ‐ active sessions with the locked screen), this will limit the attack surface to a greater extend.


Impact


  ✦  A target user connects to a Windows 10 or Server 2019 via RDP
  ✦  User locks the remote session and leaves the client device unattended
  ✦  An attacker with the access to the client device can interrupt its network connectivity and gain access to the remote system without credentials
  ✦  Stealing sensitive and private information
  ✦  Store or install malicious software or programs


Solution/ Workarounds


  ✦  Microsoft is still unable to patch the system


References


  ✦  https://thehackernews.com/2019/06/rdp-windows-lock-screen.html
  ✦  https://www.bleepingcomputer.com/news/security/remote-desktop-zero-day-bug-allows-attackers-to-hijack-sessions/


Disclaimer


The information provided herein is on "as is" basis, without warranty of any kind.


 
     

© Copyright Sri Lanka CERT|CC. All Rights Reserved.