The Bluekeep Vulnerability is Now Compounded by Network Level Authentication (NLA) client-side attacker bypass Vulnerability.
One of the remedies to the pre-auth RDP bug (pet-named Bluekeep) was to require users to enter RDP sessions with Network Level Authentication (NLA). Those that can’t (or won’t) patch their systems, ran to NLA as a way to mitigate the risk.
Well, Not So Fast!!!
The Network Level Authentication flaw
Security Researchers published a report detailing a new uncorrected vulnerability in the Microsoft Windows Remote Desktop Protocol (RDP). Tracked as CVE-2019-9510, this vulnerability could allow client-side attackers to bypass the lock screen in remote desktop sessions.
The NLA flaw was discovered by Carnegie Mellon University researcher Joe Tammariello; in his report, Tammariello mentions that the flaw exists because of the Windows Remote Desktop function, which requires users to enter with Network Level Authentication (NLA), a security measure that Microsoft recommended to their users to protect themselves from the BlueKeep vulnerability exploitation.
“If a network error triggers a temporary disconnect from the RDP session while the client was connected to the server but the home screen was locked, after the reconnection the RDP session will be restored bypassing the lock screen”, says Tammariello.
Furthermore, this causes some 3rd party multi-factor solutions such as Duo (just an honest example) to become useless as exploiting the vulnerability bypasses Duo entirely.
NOTE 1: Not all multi-factor solutions are affected. And, Duo is not alone as several other MFA solutions operate similarly and are subject to this bypass.
NOTE 2: See NOTE 1, it’s important to add that neither Duo nor the others HAVE bugs in their solutions that cause this vulnerability. There is nothing wrong with their code relative to this matter.
This one is on Microsoft.