Microsoft Azure

CredSSP, “Remote Code Execution” vulnerability that impacts RDP connections

Posted on by Melody Zacharias
15
May

Microsoft in the News

Did you know that Microsoft Stores run free Summer Camps?  At Microsoft Store locations in the U.S., Canada, and Puerto Rico, there will be 5 new free YouthSpark Summer Camp curriculums.  Each camp runs one, two, or four 2-hour sessions.  Beginning in May and running through to the end of August, they are open to all, but designed for students aged eight and up.  To register, sign up on-line, or in person at your local Microsoft Store.  The following courses will be available:

  1. Philanthropy Camp.  Teaches students how to create actionable plans to drive fundraising, volunteering and awareness for humanitarian goals.
  2. Students learn how to bring a programmable robot head to life.
  3. 3D and Mixed Reality. With access to Microsoft’s latest 3D and movie-making technology, students learn to develop characters, create storyboards, and then shoot and edit a production that will be premiered at the end of the camp.
  4. Minecraft Coding. Using Minecraft, students will dive into an inclusive and immersive project that teaches computer science concepts like events, coordinates, variables and conditionals.

Beginners fun.  This workshop is for students with little or no computer or coding experience.  Students as young as six will learn how computers and code work together.

For more information, visit the Microsoft Store events page.

 

When you cannot RDP to a VM in Azure

In the March 2018 patch release, there was a fix that addressed a CredSSP, “Remote Code Execution” vulnerability that impacts RDP connections.   You can find details on the why at: https://support.microsoft.com/en-us/help/4093492/credssp-updates-for-cve-2018-0886-march-13-2018

This came through as a Windows update in early May.  For me, this issue was noticed when suddenly I could not access my Azure VM; I was getting this message:

 

Here are the potential situations with this patch.

  • If the client is updated and you try to RDP to an Azure VM that was not updated, then it will be blocked and see the error message.
  • If the client is not patched while server is updated, RDP can still work. But the session will be exposed to the attack.
  • If both client & server are patched with default setting (Mitigated), RDP will work in a secure way.

Here are the potential situations with this patch.

  • If the client is updated and you try to RDP to an Azure VM that was not updated, then it will be blocked and see the error message.
  • If the client is not patched while server is updated, RDP can still work. But the session will be exposed to the attack.
  • If both client & server are patched with default setting (Mitigated), RDP will work in a secure way.

This is ultimately because the patch level of the server you are accessing and the system you access it from are at different levels of patching.  It sounds simple to just patch the machine and all is well.  My issue was that RDP was the only way to access that machine and so now I could not access it.

The key patch you want is this one: https://support.microsoft.com/en-us/help/4103723/windows-10-update-kb4103723 released May 9th.

Luckily Microsoft now has a service called Update Management:

https://docs.microsoft.com/en-us/azure/virtual-machines/windows/tutorial-monitoring#manage-windows-updates

Update Management also has a free trial, so even if you don’t keep using it you can use it to fix this issue.  If you search for it you get the home screen seen below which will allow you to set it up.

I already have automation setup for this VM so it was easy to set it up from my VM by choosing update management and following the directions.  You can see below I was missing the offending patch

I scheduled the updates to be done and once complete I was again able to log in with RDP.

Leave a Reply

Your email address will not be published. Required fields are marked *

X