A newly unpatched vulnerability was disclosed in Microsoft Windows Remote Desktop Protocol (RDP). The vulnerability which has been dubbed as CVE-2019-9510, could permit client-side attackers to bypass the lock screen on remote desktop (RD) sessions.
The flaw which was found by Joe Tammariello of Carnegie Mellon University Software Engineering Institute (SEI) existed when Microsoft Windows Remote Desktop feature requires clients to authenticate with Network Level Authentication (NLA) which is a feature that Microsoft recommended as a temporary fix against the critical BlueKeep RDP vulnerability.
According to Will Dormann, a vulnerability analyst at the CERT/CC, if a network anomaly triggers a temporary RDP disconnect while a client was already connected to the server but the login screen is locked, then “upon reconnection the RDP session will be restored to an unlocked state, regardless of how the remote system was left.”
He stated in an advisory that beginning with Windows 10 1803 and Windows Server 2019, Windows RDP handling of NLA-based RDP sessions has changed in a way that can cause unexpected behavior with respect to session locking.
The two-factor authentication systems that integrate with the Windows login screen like the Duo Security MFA, are also bypassed using this mechanism. It can also bypass any login banners enforced by an organization.
The CERT describes the attack scenario as
- A targeted user connects to a Windows 10 or Server 2019 system via RDS.
- The user locks the remote session and leaves the client device unattended.
- At this point, an attacker with access to the client device can interrupt its network connectivity and gain access to the remote system without needing any credentials.
This indicates that exploiting this vulnerability is not a big deal as it is possible for an attacker to just interrupt the network connectivity of a targeted system.
Since the attacker needs physical access to a targeted system (i.e., an active session with locked screen), the scenario itself limits the attack surface to a greater extent.
Microsoft was notified regarding the vulnerability on April 19 by Tammariello, but the company responded by saying the “behavior does not meet the Microsoft Security Servicing Criteria for Windows.”
The company has no plans to patch the issue anytime soon. But the users can protect themselves from exploitation of this vulnerability by locking the local system instead of the remote system, and by disconnecting the remote desktop sessions instead of just locking them.