THREAT RESPONSE: WINDOWS LOCKSCREEN RDP EXPLOIT

06-06-2019

Last Tuesday, 4th of June, information regarding a new vulnerability was published which explained a way to bypass the lock screen of a Remote Desktop Session [1].  To be able to exploit this vulnerability, physical access is required to the system which initiated the RDP connection. This vulnerability was assigned the number CVE-2019-9150.

Because this vulnerability received media attention, we would like to provide some more information. Northwave considers the risk of this vulnerability to be minimal.

DESCRIPTION

The vulnerability is discovered in an authentication mechanism which RDP supports, namely Network Level Authentication (NLA). This mechanism allows authentication to take place at the client side before the RDP connection is initiated. Using this mechanism will reduce the server resources needed for authentication and it reduces the attack surface of the system because successful authentication is required to setup an RDP connection.

With newer Windows versions, the handling of NLA based RDP sessions changed. When an RDP connection disconnects, automatic reconnection will take place. When the RDP connection is restored, the machine will be unlocked, disregarding the previous state of the PC.  Because of this behaviour, the lock screen of the Windows system can be bypassed. Take for example the following scenario:

  1. An RDP connection is initiated with a remote system. The user locks the remote system, the Windows lock screen is currently visible.
  2. The employee leaves its workstation, without locking its PC.
  3. Somebody who has physical access to the workstation can temporarily disable the network connection, thereby disconnecting the RDP session.
  4. After recovering the network connection, the RDP connection will automatically be reestablished.
  5. After reestablishing the connection, the remote system will be unlocked.

According to the people who found the vulnerability, it also bypasses two-factor authentication which is integrated to the Windows login screen. Exploiting this vulnerability requires physical access to the workstation which is connected to the remote system. Because of the necessary physical access, the attack surface is limited. Microsoft has chosen to patch this vulnerability on its regular patch Tuesday.

CVE-2019-9510; Microsoft Windows RDP Network Level Authentication bypass Windows lock screen

CVSS base score: 4.6 (medium)

Vector string: CVSS:2.0/AV:L/AC:L/Au:N/C:P/I:P/A:P

RISK

Carnegie Mellon University has created a Metasploit module which allows exploitation of the vulnerability. This module has not been published yet, because the vulnerability has not been patched yet. Northwave assesses the severity of this vulnerability as low, because physical access is required and the workstation itself must be unlocked. Also, the vulnerability is only present in the newer versions of Windows. The following Windows versions are affected:

  • Windows 10 1803 (April 2018)
  • Windows Server 2019

MITIGATION

Microsoft will release on patch on next Tuesday (11th of June) to mitigate this vulnerability. Northwave advices to install this patch as soon as possible. Until the patch is released, the following mitigations are available:

  • Always lock workstations which setup RDP connections to remote systems, when the owner of the workstation is not physically present.
  • Instead of locking the remote RDP session, disconnect the RDP sessions.

If you need additional information you can call us by phone or send us an email.

Phone number: 030-3031244 (during business hours)
E-mail: soc@northwave.nl

Do you have an incident right now? Call our CERT number: 0800-2255 2747

SOURCES

[1] Microsoft Windows RDP Network Level Authentication can bypass the Windows lock screen: https://kb.cert.org/vuls/id/576688/

[2] Even the NSA is urging Windows users to patch BlueKeep (CVE-2019-0708): https://www.zdnet.com/article/even-the-nsa-is-urging-windows-users-to-patch-bluekeep-cve-2019-0708/

 

Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.