CredSSP: RDP problem when not all the systems are update

In April 2018 Microsoft released an update to address a specific CVE that involve Credential Security Support Provider protocol (CredSSP): CVE-2018-0886 

This update was released for all the supported Windows Operating Systems. Even though I recommend to keep your server up to date, most of the customers don’t have automatic procedure to update the systems on regular basis (SCCM could be the right answer).

Here is where problems start.

Scenario

An update client with 2018-05 Update try to connect to a servers without the May update or vice versa a client without the update try to connect to a server with the May update installed.

In both situation the same error pop up:

An authentication error has occurred. The function requested is not supported. Remote computer: <computer name or IP>. This could be due to CredSSP encryption oracle remediation. For more information, see https://go.microsoft.com/fwlink/?linkid=866660.

In this case we have two options:

  1. Update the server and client to the latest released Update (suggested)
  2. Disable the Oracle CredSSP remediation (less secure RDP connection)

As I can understand that the option 1. is not the fastest one, here we have a workaround to disable this security feature (on the updated system):

  • Open a Command Prompt window as Administrator and add a registry value:
    REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
  • Open an elevated Powershell session and add a registry key:
    Set-ItemProperty -Path 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters' -name "AllowEncryptionOracle" 2 -Type DWord
    

Here the table reference for the RDP connection with different Oracle Remediation policy Protection Level:

Server
Updated Force updated clients Mitigated Vulnerable
Client Updated Allowed Blocked Allowed Allowed
Force updated clients Blocked Allowed Allowed Allowed
Mitigated Blocked Allowed Allowed Allowed
Vulnerable Allowed Allowed Allowed Allowed

Conclusion

This should be a temporary workaround and the best way is to keep al the systems up to date. There is also the possibility to create a GPO to deploy this workaround until all the systems are not updated. This could be an easy way to revert the RDP configuration to a better and most secure standard.

Here the GPO details:

  1. GPO path: Computer Configuration > Administrative Templates > System > Credentials Delegation
  2. Change the Encryption Oracle Remediation policy to Enabled, and then change Protection Level to Vulnerable.

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload the CAPTCHA.