The Network Level Authentication (NLA) feature of Windows Remote Desktop Services (RDS) can allow a hacker to bypass the lockscreen on remote sessions, and there is no patch from Microsoft, the CERT Coordination Center at Carnegie Mellon University warned on Tuesday.
NLA provides better protection for Remote Desktop (RD) sessions by requiring the user to authenticate to the RD Session Host server before a session is created. Microsoft recently recommended NLA as a workaround for a critical RDS vulnerability tracked as BlueKeep and CVE-2019-0708.
When a user connects to a remote system over RDS, they can lock the session similar to how sessions can be locked locally in Windows. If the session is locked, the user is presented with a lockscreen where they have to authenticate in order to continue using the session.
Joe Tammariello of the Software Engineering Institute at Carnegie Mellon University discovered a vulnerability that can be exploited to bypass the lockscreen on an RDS session. The flaw, tracked as CVE-2019-9510 and assigned a CVSS score of 4.6 (medium severity), affects versions of Windows starting with Windows 10 1803 and Server 2019.
“If a network anomaly triggers a temporary RDP disconnect, upon automatic reconnection the RDP session will be restored to an unlocked state, regardless of how the remote system was left,” CERT/CC explained in an advisory.
The organization has described the following attack scenario: the targeted user connects to a Windows 10 or Server 2019 system via RDS, they lock the remote session, and leave the client device unattended. At this point, an attacker who has access to the client device can interrupt its network connectivity, and they can then gain access to the remote system without needing any credentials.
“Two-factor authentication systems that integrate with the Windows login screen, such as Duo Security MFA, are also bypassed using this mechanism. Any login banners enforced by an organization will also be bypassed,” CERT/CC said.
Tammariello reported his findings to Microsoft, but the tech giant apparently does not plan on patching the vulnerability too soon.
“After investigating this scenario, we have determined that this behavior does not meet the Microsoft Security Servicing Criteria for Windows,” Microsoft said, according to CERT/CC vulnerability analyst Will Dormann.
Users can protect themselves against potential attacks via two methods: locking the local system instead of the remote system, and disconnecting the RDS session instead of locking it.