Earlier this week, the United States National Security Agency (NSA) urged Windows administrators to patch older versions of Windows to protect against BlueKeep, a vulnerability in the Remote Desktop (RDP) protocol that an attacker could exploit to conduct a denial of service (DoS) attack. Now just a couple of days later, security researchers are warning of another RDP bug affecting more recent versions of Windows, but it doesn't appear that Microsoft will be issuing a patch.
Whereas BlueKeep affects Windows 7, Windows XP, Windows Server 2008, and Windows Server 2003, this newly discovered bug affects Windows 10 and Windows Server 2019. According to Joe Tammariello at the CERT Coordination Center (CERT) at Carnegie Mellon’s Software Engineering Institute, the bug (CVE-2019-9510) has to do with recent changes Microsoft made to Network Level Authentication (NLA).
NLA is intended to protect Windows installations that have RDP enabled, as it prevents random people from remotely logging into Windows by requiring authentication. However, Microsoft changed the authentication mechanism to cache the client's login information on the RDP host, to make logging in quicker if a user temporarily loses connectivity.
"Starting with Windows 10 1803 (released in April 2018) and Windows Server 2019, the handling of RDP sessions has changed in a way that can cause unexpected behavior with respect to session locking. If a network anomaly triggers a temporary RDP disconnect, upon automatic reconnection the RDP session will be restored to an unlocked state, regardless of how the remote system was left," CERT wrote in an advisory.
When this happens, an attacker can interrupt the network connectivity of the RDP client system, and unlock the system without requiring any input of login credentials. According to CERT, two-factor authentication systems such as Duo Security MFA can also be bypassed because of this vulnerability. Obviously this is a serious problem, but here's the scary part—CERT says it is "unaware of a practical solution to this problem."
Microsoft is aware of the bug, and normally that would be good news. But in this instance, Microsoft is downplaying the situation, and does not intend on issuing a patch. Why? According to Microsoft, everything is working as intended.
"After investigating this scenario, we have determined that this behavior does not meet the Microsoft Security Servicing Criteria for Windows. What you are observing is Windows Server 2019 honoring Network Level Authentication (NLA)," MIcrosoft said. "Network Level Authentication requires user creds to allow connection to proceed in the earliest phase of connection. Those same creds are used logging the user into a session (or reconnecting). As long as it is connected, the client will cache the credentials used for connecting and reuse them when it needs to auto-reconnect (so it can bypass NLA)."
Microsoft basically just described the vulnerability, without acknowledging that it can be exploited. So, what can affected users do? As noticed by security outfit Sophos, one of Tammareillo's colleagues says the best bet is to use the local machine's lock screen feature instead of relying on the RDP lock. And if you need to step away for a moment, disconnect the RDP session as an extra precaution.