CredSSP Vulnerability Main Focus of March Patch Tuesday
For March Patch Tuesday, Microsoft announced 74 CVEs. But one deserves special attention.
A remote code execution (RCE) vulnerability in Microsoft’s Credential Security Support Provider (CredSSP) protocol allows a remote attacker to leverage a man-in-the-middle attack to execute arbitrary code on a different machine in the attacked network. This would enable a lateral movement scenario.
The vulnerability affects every version of Microsoft Windows to date.
CVE-2018-0886 is a logical flaw in CredSSP used by Remote Desktop Protocol (RDP) and Windows Remote Management (WinRM) that forwards credentials to target servers in a secure manner. Most enterprises use RDP for remote login, making them vulnerable to the issue.
A demonstration of the exploit has been released; it is not known to be exploited in the wild at this time. But, with the information available, that could change quickly.
The patch has just now been made available, but the vulnerability was brought to Microsoft’s attention in August 2017 — seven months before they released the patch.
Spectre/Meltdown Class of Vulnerabilities in AMD Processors
13 critical vulnerabilities have been discovered in AMD’s co-processor. The vulnerabilities affect the AMD EPYC, Ryzen, Ryzen Pro and Ryzen Mobile lines of processors.
The vulnerabilities are categorized into four classes — Ryzenfall, Fallout, Chimera and Masterkey — and require admin privileges. Though no CVEs have been assigned yet, this looks like the real thing. The Israeli research organization, CTS, that disclosed the vulnerabilities has published a report, though it contains no technical details that would be expected. Some researchers have received a full technical report and the proof-of-concept exploit code for each set of vulnerabilities, but it has yet to be made public.
For now, security teams will have to sit tight while the a PR party dances on.
It appears AMD was given just one day of advanced notice before the public report was released. So much for the 90-day gentlemen’s agreement.
Adobe and Mozilla
In other news, Adobe has released three security bulletins (APSB18-05, APSB18-06 and APSB18-07) affecting Adobe Flash Player, Adobe Connect and Adobe Dreamweaver CC. No zero-days appear to be included in these fixes.
Mozilla also announced 25 CVEs included in MFSA2018-06 and MFSA2018-07.
All of these vulnerabilities can be discovered by the Skybox Vulnerability Detector feature in Skybox Vulnerability Control without an active scan. Learn more about the Skybox approach to vulnerability management at www.skyboxsecurity.com/tcvm.
Meltdown, Spectre Reach Beyond Intel as Vendors Release Patches: CPU information disclosure vulnerabilities affect AMD and Arm as well as Intel microprocessors