Pierluigi Paganini June 04, 2019

A security expert disclosed technical details of a new unpatched vulnerability (CVE-2019-9510) that affects Microsoft Windows Remote Desktop Protocol (RDP).

Security expert Joe Tammariello of Carnegie Mellon University Software Engineering Institute (SEI), discovered a new unpatched vulnerability in Microsoft Windows Remote Desktop Protocol (RDP).

The flaw, tracked as CVE-2019-9510, could be exploited by client-side attackers to bypass the lock screen on remote desktop (RD) sessions.

In order to exploit the flaw, the attacker requires physical access to a targeted system, for this reason, it received a CVSS score of 4.6 (medium severity). The flaw affects versions of Windows starting with Windows 10 1803 and Server 2019.

The vulnerability resides in the way Microsoft Windows Remote Desktop feature requires clients to authenticate with Network Level Authentication (NLA).

“Microsoft Windows RDP Network Level Authentication can allow an attacker to bypass the lock screen on remote sessions.” reads the advisory published by the CERT/CC.

“Starting with Windows 10 1803 and Windows Server 2019, Windows RDP handling of NLA-based RDP sessions has changed in a way that can cause unexpected behavior with respect to session locking. If a network anomaly triggers a temporary RDP disconnect, upon automatic reconnection the RDP session will be restored to an unlocked state, regardless of how the remote system was left. “

When a network anomaly occurs it could trigger a temporary RDP disconnect, but upon automatic reconnection the RDP session will be restored to an unlocked state. The RDP session will be restored without considering the status of the remote system before the disconnection. For example, consider the following steps:

Below the attack scenario described by the CERT:

• User connects to remote Windows 10 1803 or Server 2019 or newer system using RDP.
• User locks remote desktop session.
• User leaves the physical vicinity of the system being used as an RDP client

An attacker can interrupt the network connectivity of the RDP client system, this will cause the session with the remote system being unlocked without providing credentials.

The advisory published by the CERT/CC states that two-factor authentication systems that integrate with the Windows login screen (i.e. Duo Security MFA) could be bypassed exploiting the CVE-2019-9510 flaw.

“Two-factor authentication systems that integrate with the Windows login screen, such as Duo Security MFA, are also bypassed using this mechanism. Any login banners enforced by an organization will also be bypassed.” continues the advisory.

The CERT/CC suggest the following workarounds:

• Lock the local system as opposed to the remote system.
• RDP sessions should be disconnected rather than locked to invalidate the current session and prevent an automatic RDP session reconnection without credentials.

Tammariello reported the flaw to Microsoft on April 19, but the company did not acknowledge the flaw

“[The] behavior does not meet the Microsoft Security Servicing Criteria for Windows,” states the company.

Pierluigi Paganini

(SecurityAffairs – RDP, CVE-2019-9510)

[adrotate banner=”5″]

[adrotate banner=”13″]