Thoughts

CredSSP Update Causing Remote Desktop Error (Patch code : KB4103721)

Windows have released a new update on the 13th of May with a security patch to the Credential Security Support Provider protocol (CredSSP) due to a remote code execution vulnerability that exists in unpatched versions of the CredSSP protocol.  There has however been an unforeseen side effect of this patch.

What is CredSSP?

CredSSP is a security protocol utilized to process authentication requests for separate applications, In this case the Windows remote desktop protocol. In simple terms it is CredSSP that allows you to connect to your Windows server and execute code there.

What is the effect of this CredSSP vulnerability?

Currently an attacker who successfully exploits this remote code execution vulnerability on unpatched servers could relay user credentials to execute code on the target system thereby taking control of the server putting any sites or information stored there at risk.

Unfortunately as part of this security patch connectivity to and from unpatched servers has been disabled preventing Remote desktop access.  Unpatched machines can not communicate with patched machines, and vice versa.

Who does this effect?

All Windows operating systems with RDP capability are vulnerable to this type of attack.  Local machines, and remote servers are vulnerable if they use a Windows OS.

How to resolve this issue

To resolve this issue we strongly advise that you ensure that your servers/local PC are kept up to date with the latest security patches made available.

In this case the required patch is KB4103721 which will be automatically updated by the Windows Update service.

More information on the CredSSP Remote Code Execution Vulnerability can be located here;

If you require help with this then please contact us.