New vulnerability in Windows RDP; BlueKeep patch is not working

Web application security test specialists published a report detailing a new uncorrected vulnerability in the Microsoft Windows Remote Desktop Protocol (RDP). Tracked as CVE-2019-9510, this vulnerability could allow client-side attackers to bypass the lock screen in remote desktop sessions.

The flaw was discovered by the Carnegie Mellon University researcher Joe Tammariello; in his report, the expert mentions that the flaw exists because of the Windows Remote Desktop function, which requires users to enter with Network Level authentication (NLA), a security measure that Microsoft recommended to their users to protect themselves from the BlueKeep vulnerability exploitation.

“If a network error triggers a temporary disconnect from the RDP session while the client was connected to the server but the home screen was locked, after the reconnection the RDP session will be restored bypassing the lock screen”, mentions the expert.

The later versions of Windows 10 1803 and Windows Server 2019 are those that present this vulnerability, because with the most recent update it changed the handling of the NLA-based Windows RDP sessions so that an unexpected performance can be generated in the session lock, mentions the web application security test specialist.

In his report, the specialist describes the process of exploiting the vulnerability in three stages:

  • The target user connects to a Windows 10 or Server system via RDP
  • The user blocks their session and leaves the device unattended
  • The attacker with access to the device can interrupt the user’s connection and access the RDP session without having to authenticate

According to the web application security test specialists from the International Institute of Cyber Security (IICS), the exploitation of this vulnerability is relatively simple, because the malicious actor only requires interrupting the network connection in the targeted system. On the other hand, the attack depends on the hacker having physical access to the vulnerable system, so the range is considerably reduced.

The company was notified since last April 9th, but responded to the flaw report by mentioning that “this behavior does not meet the criteria established by the Microsoft Security Center for Windows”, so the failure will not be corrected, at least not now.