Web application security test specialists published a report detailing a new uncorrected vulnerability in the Microsoft Windows Remote Desktop Protocol (RDP). Tracked as CVE-2019-9510, this vulnerability could allow client-side attackers to bypass the lock screen in remote desktop sessions.
The flaw was discovered by the Carnegie Mellon
University researcher Joe Tammariello; in his report, the expert mentions that
the flaw exists because of the Windows Remote Desktop function, which requires
users to enter with Network Level authentication (NLA), a security measure that
Microsoft recommended to their users to protect themselves from the BlueKeep
“If a network error triggers a temporary
disconnect from the RDP session while the client was connected to the server
but the home screen was locked, after the reconnection the RDP session will be
restored bypassing the lock screen”, mentions the expert.
The later versions of Windows 10 1803 and
Windows Server 2019 are those that present this vulnerability, because with the
most recent update it changed the handling of the NLA-based Windows RDP
sessions so that an unexpected performance can be generated in the session
lock, mentions the web application security test specialist.
In his report, the specialist describes the
process of exploiting the vulnerability in three stages:
target user connects to a Windows 10 or Server system via RDP
user blocks their session and leaves the device unattended
attacker with access to the device can interrupt the user’s connection and
access the RDP session without having to authenticate
According to the web application security test
specialists from the International Institute of Cyber Security (IICS), the
exploitation of this vulnerability is relatively simple, because the malicious
actor only requires interrupting the network connection in the targeted system.
On the other hand, the attack depends on the hacker having physical access to
the vulnerable system, so the range is considerably reduced.
The company was notified since last April 9th,
but responded to the flaw report by mentioning that “this behavior does
not meet the criteria established by the Microsoft Security Center for Windows”,
so the failure will not be corrected, at least not now.