Vulnerability identifier: #VU18684
Vulnerability risk: Low
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L/E:P/RL:U/RC:C]
CVE-ID:
CWE-ID:
CWE-287
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Windows Server
Operating systems & Components /
Operating system
Windows
Operating systems & Components /
Operating system
Vendor: Microsoft
Description
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to a logical error in implementation of RDP Network Level Authentication (NLA) when authenticating users after interrupted network connection. Remote Desktop server allows users to automatically authenticate in case of network connectivity loss without providing access credentials. An attacker with access a machine that is being used as RDP client can interrupt connection between the client and remote RDP server, then reconnect to the server and gain access to a remote session that belongs to another workstation user.
Mitigation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versions
Windows Server: 2019 10.0.17763.1 - 2019 1903
Windows: 10 1903 10.0.18362.116, 10 1809 10.0.17763.1, 10 1803 10.0.17134.48, 10 1709 10.0.16299.19, 10 1703 10.0.15063.138, 10 1607 10.0.14393.10, 10 1511 10.0.10586.3
External links
http://www.kb.cert.org/vuls/id/576688/
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.