Mar 16

A critical vulnerability in CredSSP was found that affects RDP and WinRM in all Windows versions

A remote code execution vulnerability in CredSSP provider have been found recently (CVE-2018-0886). It affects RDP and WinRM on all supported Windows versions. An attacker who successfully exploits this vulnerability could relay user credentials to execute code on the target system. Any application that depends on CredSSP for authentication may be vulnerable to this type of attack.You can find more information here:Security Advisory: Critical Vulnerability in CredSSP Allows Remote Code Execution on Servers Through MS-RDP (Video).

It requires the attacker to have access to your network first. But take it seriously – patch your systems.

The fix does not have its own but instead it was included in various KBs:

CVE-2018-0886 | CredSSP Remote Code Execution Vulnerability

The patch was included in March’s patch Tuesday so many Windows Update ready computers should be safe now.

Microsoft plans to make graceful transition from vulnerable to mitigated state of the protocol so clients have time to update and check compatibility/stability. They will release three updates to mitigate the issue:

1) First patch will fix the issueby correcting how CredSSPvalidates requests during the authentication process. The update will introduce a new registry key (and a group policy option Encryption Oracle Remediation) that will change the behavior of CredSSP clients and servers. It was already released on March 13, 2018

Administrators are encouraged toapply the policy and set it to “Force updated clients” or “Mitigated” on client and server computers as soon as possible. These changes will require a reboot of the affected systems

2) On April 17, 2018 Microsoft will release an update to RDP Client (MSTSC) that will enhance the error message that is presented when an updated client fails to connect to a server that has not been updated

3) On May 8, 2018 an update will be released to change the default setting from Vulnerable to Mitigated

The Patch Lady explains everything in details.

Go, patch and configure your systems guys 🙂

Jan 05

WinRM would not listen on port 5985

The WinRM was configured to allow remote administration via a GPO but it wouldn’t let us connect with Enter-PSSession. The firewall rule was there passing the traffic on TCP port 5985.

Checking WinRM config showed something strange:

Listener [Source=”GPO”]
Address = *
Transport = HTTP
Port = 5985
Hostname
Enabled = true
URLPrefix = wsman
CertificateThumbprint
ListeningOn = null

So WinRM was actually configured but wasn’t listening on any network interface. Why?

Continue reading