CredSSP Flaw in Remote Desktop Protocol


#1

Hi,

I was wondering if Duo for RDP mititgates any risk from CredSSP Flaw in Remote Desktop Protocol (CVE-2018-0886). The Microsoft fix requires both the server and the client to have the update installed. That update is responsible for messing up NICs on Windows 7 and 2008R2 machines (KB4088875/KB4088878). If Duo mitigates this vulnerability, it give MS some time to get their things together, and for clients to update the person devices.

Thanks!


#2

Hey @UniqueUsername The CredSSP vulnerability affects an underlying protocol so it’s invoked before Duo Winlogon. We have tested the Microsoft patch and it does not interfere with Duo once patched.

It is unfortunate to hear the MS Patch wass causing issues with VMXNET3 adapters, but it looks like there is now a workaround for that issue: https://support.microsoft.com/en-us/help/3125574/convenience-rollup-update-for-windows-7-sp1-and-windows-server-2008-r2


#3

Hi Patrick,

Thanks for the information. MS still doesn’t quite have their act together with this update. See https://support.microsoft.com/en-us/help/4088878/windows-7-update-kb4088878 for a long list of problems and their duct tape fixes. I might have to ride this out until April updates come along.

Thanks