Microsoft Windows RDP Network Level Authentication Bypass (CVE-2019-9510)

Security expert Joe Tammariello of Carnegie Mellon University Software Engineering Institute (SEI), discovered a new unpatched vulnerability in Microsoft Windows Remote Desktop Protocol (RDP).

“Starting with Windows 10 1803 and Windows Server 2019, Windows RDP handling of NLA-based RDP sessions has changed in a way that can cause unexpected behavior with respect to session locking. If a network anomaly triggers a temporary RDP disconnect, upon automatic reconnection the RDP session will be restored to an unlocked state, regardless of how the remote system was left. “

CERT/CC further describes one scenario in which this technique could be used:

  1. User connects to remote Windows 10 1803 or Server 2019 or newer system using RDP.
  2. User locks remote desktop session.
  3. User leaves the physical vicinity of the system being used as an RDP client.

An attacker can interrupt the network connectivity of the RDP client system, this will cause the session with the remote system being unlocked without providing credentials.

The advisory published by the CERT/CC states that two-factor authentication systems that integrate with the Windows login screen (i.e. Duo Security MFA) could be bypassed exploiting the CVE-2019-9510 flaw.

“Two-factor authentication systems that integrate with the Windows login screen, such as Duo Security MFA, are also bypassed using this mechanism. Any login banners enforced by an organization will also be bypassed.” continues the advisory.

The CERT/CC suggest the following workarounds:

  1. Lock the local system as opposed to the remote system.
  2. RDP sessions should be disconnected rather than locked to invalidate the current session and prevent an automatic RDP session reconnection without credentials.
Tammariello reported the flaw to Microsoft on April 19, but the company did not acknowledge the flaw

“[The] behavior does not meet the Microsoft Security Servicing Criteria for Windows,” states the company.

Next Post »