According to Security researchers, the Windows 1903 Update has a nasty bug in the Network Level Authentication (NLA) that can allow attackers to take control of the remote sessions.

For those unaware, NLA prevents attackers from remotely login into your Windows PC. NLA will ask them to provide required details in order to authenticate, clearly, the attackers aren’t supposed to know these details unless you share it with them.

Now, the working principle of NLA in the latest Windows 10 1903 Update isn’t similar to how it worked in the previous versions of the OS. As per Nakedsecurity,

The authentication mechanism caches the client’s login credentials on the RDP host so that it can quickly log the client in again if it loses connectivity. The change enables an attacker to circumvent a Windows lock screen, warns CERT/CC, which disclosed the issue, in an advisory.

And according to the advisory,

Because of this vulnerability, the reconnected RDP session is restored to a logged-in desktop rather than the login screen. This means that the remote system unlocks without requiring any credentials to be manually entered.

Worse, the bug let attackers bypass the multi-factor authentication(MFA) systems.

Microsoft, however, dismissed the RDP bug as a feature, saying,

After investigating this scenario, we have determined that this behavior does not meet the Microsoft Security Servicing Criteria for Windows. What you are observing is Windows Server 2019 honoring Network Level Authentication (NLA). Network Level Authentication requires user creds to allow connection to proceed in the earliest phase of connection. Those same creds are used logging the user into a session (or reconnecting). As long as it is connected, the client will cache the credentials used for connecting and reuse them when it needs to auto-reconnect (so it can bypass NLA).

Now that Microsoft admitted that it’s a feature and not a bug and therefore won’t offer any fix any time soon, you should use the local machine’s lock screen rather than relying on the remote box’s lock, says the CERT advisory.

Comments