Network Level Authentication

The Bluekeep Vulnerability is Now Compounded by Network Level Authentication (NLA) client-side attacker bypass Vulnerability.

One of the remedies to the pre-auth RDP bug (pet-named Bluekeep) was to require users to enter RDP sessions with Network Level Authentication (NLA).  Those that can’t (or won’t) patch their systems, ran to NLA as a way to mitigate the risk.

Well, Not So Fast!!!

The Network Level Authentication flaw

Security Researchers published a report detailing a new uncorrected vulnerability in the Microsoft Windows Remote Desktop Protocol (RDP). Tracked as CVE-2019-9510, this vulnerability could allow client-side attackers to bypass the lock screen in remote desktop sessions.

The NLA flaw was discovered by Carnegie Mellon University researcher Joe Tammariello; in his report, Tammariello mentions that the flaw exists because of the Windows Remote Desktop function, which requires users to enter with Network Level Authentication (NLA), a security measure that Microsoft recommended to their users to protect themselves from the BlueKeep vulnerability exploitation.

“If a network error triggers a temporary disconnect from the RDP session while the client was connected to the server but the home screen was locked, after the reconnection the RDP session will be restored bypassing the lock screen”, says Tammariello.

Furthermore, this causes some 3rd party multi-factor solutions such as Duo (just an honest example) to become useless as exploiting the vulnerability bypasses Duo entirely.

NOTE 1: Not all multi-factor solutions are affected.  And, Duo is not alone as several other MFA solutions operate similarly and are subject to this bypass.

NOTE 2: See NOTE 1, it’s important to add that neither Duo nor the others HAVE bugs in their solutions that cause this vulnerability. There is nothing wrong with their code relative to this matter.

This one is on Microsoft.

The later versions of Windows 10 1803 and Windows Server 2019 are those that present this vulnerability because with the most recent update it changed the handling of the NLA-based Windows RDP sessions so that an unexpected performance can be generated in the session lock.

Read that paragraph (above) again.  While Bluekeep affects OSes dating back to Windows XP and Server 2003, but not Windows 10, This Network Level Authentication (NLA) vulnerability affects all Windows OSes, including Windows 10 and Server 2019.

As reported, the process of exploiting the vulnerability occurs in 3 primary stages:

  1. The target user connects to a Windows 10 or Server system via RDP.
  2. The user blocks their session and leaves the device unattended.
  3. The bad-actor with access to the device can interrupt the user’s connection and access the RDP session without having to authenticate.

According to researchers, the exploitation of this vulnerability is relatively simple, because the bad-actor only requires interrupting the network connection in the targeted system. On the other hand, and as a positive note (if there is such a thing), the attack depends on the bad-actor having physical access to the vulnerable system to interrupt its network connection, so the threat surface is at least considerably reduced.

Will the NLA be corrected?

Microsoft was apparently notified last April of this issue but responded to the flaw report by mentioning that “this behavior does not meet the criteria established by the Microsoft Security Center for Windows”, so the failure will not be corrected, at least not now.  This doesn’t sound right to me or with others who are monitoring the situation (as well as Social Media).

We know that the Microsoft security team will dig into this issue deeper, or may likely reconsider that the Network Level Authentication (NLA) issue should not be considered a normal function.

We’ll keep you posted as we learn more.

Till next time,

Ed