{"vulnerability": "cve-2018-0886", "sightings": [{"uuid": "72bef5e1-ef52-42e9-9a8c-030abb5b9e56", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2018-0886", "type": "seen", "source": "https://t.me/information_security_channel/14269", "content": "Microsoft Patches Remote Code Execution Flaw in CredSSP\nhttp://feedproxy.google.com/~r/Securityweek/~3/ZyvlNR9ld1Y/microsoft-patches-remote-code-execution-flaw-credssp\n\nA vulnerability (CVE-2018-0886) patched by Microsoft with its March 2018 security patches was a remote code execution flaw in the Credential Security Support Provider protocol (CredSSP) used by Remote Desktop Protocol (RDP) and Windows Remote Management (WinRM).\nThis vulnerability can be exploited by an attacker to relay user credentials to execute code on a target system. The authentication provider, Microsoft explains, processes authentication requests for other applications, meaning that the vulnerability puts all applications that depend on CredSSP at risk. \nPreempt, which discovered the bug, explains that this is a logical vulnerability that affects all Windows versions to date. With almost all enterprise customers using RDP, exploitation of this vulnerability could have a vast impact, the researchers say. \nCybercriminals can set up a man-in-the-middle attack, wait for a CredSSP session, and then steal session authentication to perform a Remote Procedure Call (DCE/RPC) attack on the server the user attempted to connect to. \nChris Morales, head of security analytics at Vectra, pointed out to SecurityWeek in an emailed comment that this type of activity could rather be considered a form of internal reconnaissance that any company properly monitoring their internal environment should be able to detect. \n\u201cIn the big picture, there are a lot of variables that have to be right in a targeted environment for this attack to succeed. Most importantly, the attacker needs to already be on the network and in a position between the clients and servers. If an attacker is already that deep in the network, there are many other things they could do scope out a network, find authentication accounts and compromise a server,\u201d Morales said.\nOnce they managed to steal the session, the attacker can run commands to install programs, read / modify / delete data, or create new accounts with full user rights.\nScenarios in which the vulnerability can be exploited include those where the attacker has some physical access to the targeted network, those where Address Resolution Protocol (ARP) poisoning is used for lateral movement, or those where the attacker is targeting sensitive servers via vulnerable routers or switches, Preempt says. The company also published a video detailing the vulnerability. \n\u201cTo be fully protected against this vulnerability users must enable Group Policy settings on their systems and update their Remote Desktop clients. The Group Policy settings are disabled by default to prevent connectivity problems,\u201d Microsoft explains. \nThe vulnerability impacts Windows 7, Windows 8.1, and Windows 10 systems, as well as Windows Server 2008, Windows Server 2012, and Windows Server 2016. \nTo address the issue, Microsoft released an update to correct the manner in which CredSSP validates requests during the authentication process. The update patches the CredSSP authentication protocol and the Remote Desktop clients for all affected platforms.\n\u201cMitigation consists of installing the update on all eligible client and server operating systems and then using included Group Policy settings or registry-based equivalents to manage the setting options on the client and server computers. We recommend that administrators apply the policy and set it to \u201cForce updated clients\u201d or \u201cMitigated\u201d on client and server computers as soon as possible,\u201d Microsoft says. \nThe software giant also explains that this patch is only the first update it is releasing to address the issue. An update planned for next month should \u201cenhance the error message that is presented when an updated client fails to connect to a server that has not been updated,\u201d while another planned for May should \u201cchange the default setting from Vulnerable to Mitigated.\u201d", "creation_timestamp": "2018-03-14T17:48:12.000000Z"}, {"uuid": "cce40a35-0a3c-4def-97f1-6431000f707b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2018-0886", "type": "seen", "source": "https://t.me/CNewsDaily/694", "content": "Microsoft \u0440\u0430\u0441\u0441\u043a\u0430\u0437\u0430\u043b\u0430, \u043a\u0430\u043a \u043d\u0435 \u043b\u0438\u0448\u0438\u0442\u044c\u0441\u044f \u0434\u043e\u0441\u0442\u0443\u043f\u0430 \u043a \u0441\u0435\u0440\u0432\u0435\u0440\u0430\u043c \u043f\u043e\u0434 Windows. \u0412\u0438\u0434\u0435\u043e\nhttp://www.cnews.ru/news/top/2018-03-27_v_microsoft_rasskazalikak_ne_lishitsya_dostupa\n\nMicrosoft \u043f\u043b\u0430\u043d\u0438\u0440\u0443\u0435\u0442 \u0431\u043b\u043e\u043a\u0438\u0440\u043e\u0432\u0430\u0442\u044c RDP-\u0441\u043e\u0435\u0434\u0438\u043d\u0435\u043d\u0438\u044f \u0434\u043b\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u044b\u0445 \u0441\u0435\u0440\u0432\u0435\u0440\u043e\u0432. \u0415\u0441\u043b\u0438 \u043d\u0430 \u043a\u043b\u0438\u0435\u043d\u0442\u0441\u043a\u043e\u0439 \u0438\u043b\u0438 \u043d\u0430\n\u0441\u0435\u0440\u0432\u0435\u0440\u043d\u043e\u0439 \u0441\u0442\u043e\u0440\u043e\u043d\u0435 \u043d\u0435 \u0431\u0443\u0434\u0443\u0442 \u0443\u0441\u0442\u0430\u043d\u043e\u0432\u043b\u0435\u043d\u044b \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f \u043a \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 CVE-2018-0886, \u0441 \u043c\u0430\u044f 2018 \u0433. RDP-\u0441\u043e\u0435\u0434\u0438\u043d\u0435\u043d\u0438\u044f\n\u0434\u043b\u044f \u0442\u0430\u043a\u0438\u0445 \u0441\u0435\u0440\u0432\u0435\u0440\u043e\u0432 \u0441\u0442\u0430\u043d\u0443\u0442 \u043d\u0435\u0434\u043e\u0441\u0442\u0443\u043f\u043d\u044b\u043c\u0438.", "creation_timestamp": "2018-03-27T17:42:42.000000Z"}, {"uuid": "53c0fbe9-d4a4-45d2-af3e-ab4f48fafcb6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2018-0886", "type": "seen", "source": "https://t.me/winitpro_ru/145", "content": "\u041f\u0440\u043e\u0448\u043b\u043e \u0443\u0436\u0435 \u043f\u043e\u0447\u0442\u0438 \u043f\u043e\u043b\u0442\u043e\u0440\u0430 \u0433\u043e\u0434\u0430 \u043f\u043e\u0441\u043b\u0435 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438 CVE-2018-0886 , \u0430 \u043a\u043e \u043c\u043d\u0435 \u0434\u043e \u0441\u0438\u0445 \u043f\u043e\u0440 \u043f\u0440\u0438\u0431\u0435\u0433\u0430\u044e\u0442 \u0441 \u043e\u0448\u0438\u0431\u043a\u043e\u0439 RDP \"\u0423\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0431\u043b\u0435\u043c \u0441 \u0448\u0438\u0444\u0440\u043e\u0432\u0430\u043d\u0438\u0435\u043c CredSSP\" \u043f\u0440\u0438 \u043f\u043e\u043f\u044b\u0442\u043a\u0435 \u043f\u043e\u0434\u043a\u043b\u044e\u0447\u0435\u043d\u0438\u044f \u043a \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e\u043c\u0443 \u0440\u0430\u0431\u043e\u0447\u0435\u043c\u0443 \u0441\u0442\u043e\u043b\u0443 Windows. \u0413\u043e\u0441\u043f\u043e\u0434\u0430, \u043d\u0435 \u0437\u0430\u0431\u044b\u0432\u0430\u0439\u0442\u0435 \u0441\u0442\u0430\u0432\u0438\u0442\u044c \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f \u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0445\u043e\u0442\u044f \u0431\u044b \u0438\u043d\u043e\u0433\u0434\u0430) :\ud83d\ude1c http://winitpro.ru/index.php/2018/05/11/rdp-auth-oshibka-credssp-encryption-oracle-remediation/", "creation_timestamp": "2019-09-17T16:31:41.000000Z"}, {"uuid": "ca2a7a09-72a2-4109-afa2-06b5fd49ebb9", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2018-0886", "type": "seen", "source": "https://t.me/information_security_channel/14189", "content": "Microsoft Patches Over Dozen Critical Browser Flaws\nhttp://feedproxy.google.com/~r/Securityweek/~3/oyJUlBj0sng/microsoft-patches-over-dozen-critical-browser-flaws\n\nMicrosoft\u2019s Patch Tuesday updates for March 2018 fix a total of 75 vulnerabilities, including more than a dozen critical flaws affecting the company\u2019s Edge and Internet Explorer web browsers.\nAll the security holes rated critical this month affect the web browsers. A vast majority of the issues have been described as remote code execution flaws that exist due to the way browser scripting engines handle objects in memory.\nThe only critical vulnerability that cannot be exploited for arbitrary code execution can lead to disclosure of information that can be leveraged to further hack the targeted system.\nTwo of the flaws patched by Microsoft have been publicly disclosed before patches became available, but they are only rated as \u201cimportant,\u201d and there is no evidence of malicious exploitation. These bugs are a denial-of-service (DoS) issue in ASP.NET and a privilege escalation in Exchange.\nThe Zero Day Initiative (ZDI) pointed out that the Exchange vulnerability exists in the Outlook Web Access (OWA) component and it can be exploited for phishing attacks.\nAnother interesting privilege escalation flaw affects the Windows installer and it allows an authenticated attacker to run arbitrary code with elevated permissions.\n\u201cAt first glance, this doesn\u2019t seem very crucial since an attacker would need the ability to run programs on a target system to exploit this vulnerability,\u201d ZDI said in a blog post (https://www.thezdi.com/blog/2018/3/13/the-march-2018-security-update-review). \u201cHowever, this type of bug is often used by malware authors to \u201cpiggyback\u201d their malicious code on top of innocuous code. It\u2019s always easier to convince someone to install \u2018GreatNewGame.exe\u2019 instead of \u2018EvilMalware.exe\u2019.\u201d\nAnother noteworthy vulnerability is CVE-2018-0886, a remote code execution bug affecting the Credential Security Support Provider (CredSSP) protocol. In addition to applying Microsoft\u2019s patch, users also need to make some settings changes in order to fully mitigate potential attacks.\nMicrosoft\u2019s latest security updates also patch vulnerabilities in Hyper-V, Access, Identity Manager, SharePoint, and Windows. The company has also updated the Flash Player components present in its products to address a couple of flaws fixed on Tuesday by Adobe.\nRelated: Microsoft Patches Zero-Day Vulnerability in Office (https://www.securityweek.com/microsoft-patches-zero-day-vulnerability-office)\nRelated: Microsoft Patches Critical Vulnerability in Malware Protection Engine (https://www.securityweek.com/microsoft-patches-critical-vulnerability-malware-protection-engine)\nRelated: Microsoft Patches Office Zero-Day Used to Deliver Malware (https://www.securityweek.com/microsoft-patches-office-zero-day-used-deliver-malware)", "creation_timestamp": "2018-03-13T22:02:40.000000Z"}, {"uuid": "87b28ba2-50d4-46e2-933d-df5b534e1eea", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2018-0886", "type": "exploited", "source": "https://t.me/suboxone_chatroom/132", "content": "Both Falcon identity protection modules provide Active Directory attack detections:\n\u2022 Account enumeration reconnaissance (BloodHound, Kerberoasting)\n\u2022 Bronze Bit (CVE-2020-17049)\n\u2022 Brute force attacks (LDAP simple bind, NTLM, Kerberos)\n\u2022 Credential scanning (on-premises)\n\u2022 Cloud-based (Azure AD) brute-force/credentials scanning\n\u2022 DCSync \u2014 Active Directory replication\n\u2022 DCShadow\n\u2022 Forged PAC for privilege escalation (Bulletin MS-14-068)\n\u2022 Golden Ticket\n\u2022 Hidden object detected\n\u2022 NTLM Relay Attack (including MS Exchange)\n\u2022 Overpass-the-Hash (Multiple methods - Mimikatz, CrackMapExec)\n\u2022 Pass-the-Hash (Impacket, CrackMapExec, Metasploit)\n\u2022 Pass-the-Ticket\n\u2022 Possible exploitation attempt (CredSSP) CVE-2018-0886\n\u2022 Remote execution attempts\n\u2022 Skeleton Key and Mimikatz Skeleton Key\n\u2022 Suspected NTLM authentication tampering (CVE-2019-1040)\n\u2022 ZeroLogin (CVE-2020-1472)", "creation_timestamp": "2024-12-27T11:55:02.000000Z"}, {"uuid": "d17cb954-f4df-46f6-a198-a783d6424428", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2018-0886", "type": "seen", "source": "https://t.me/xakep_ru/3269", "content": "\u0421\u043e\u0442\u0440\u0443\u0434\u043d\u0438\u043a\u0438 \u043a\u043e\u043c\u043f\u0430\u043d\u0438\u0438 Preempt Security \u043e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043b\u0438 \u043f\u043e\u0434\u0440\u043e\u0431\u043d\u043e\u0441\u0442\u0438 \u043e \u043a\u0440\u0438\u0442\u0438\u0447\u0435\u0441\u043a\u043e\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 CVE-2018-0886, \u043f\u0440\u0435\u0434\u0441\u0442\u0430\u0432\u043b\u044f\u0432\u0448\u0435\u0439 \u0441\u043e\u0431\u043e\u0439 \u043b\u043e\u0433\u0438\u0447\u0435\u0441\u043a\u0438\u0439 \u0431\u0430\u0433 \u0432 \u043f\u0440\u043e\u0442\u043e\u043a\u043e\u043b\u0435 CredSSP.\n\nhttps://xakep.ru/2018/03/15/credssp-rce/", "creation_timestamp": "2018-03-15T08:35:10.000000Z"}, {"uuid": "cc89191e-4cc5-479c-8eb0-2b7adfbfa35c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2018-0886", "type": "published-proof-of-concept", "source": "https://t.me/CyberSecurityTechnologies/60", "content": "#exploit\nNew vulnerabilities in Microsoft products\n\n1. CVE-2018-0802:\nEquation Editor in MS Office 2007, 2010, 2013, 2016 - RCE\nhttps://github.com/zldww2011/CVE-2018-0802_POC\n]-> https://github.com/rxwx/CVE-2018-0802\nGenerate RTF exploit payload uses CVE-2017-11882, CVE-2017-8570, CVE-2018-0802, CVE-2018-8174\nhttps://github.com/dcsync/rtfkit\n\n2. CVE-2018-0824:\nRCE in \"Microsoft COM for Windows\"\nhttps://github.com/codewhitesec/UnmarshalPwn\n// This affects Win7, 8.1, 10, RT 8.1, Server 2012 R2, 2008/2008 R2, 2012, 2016\n\n3. CVE-2018-0886:\nCredSSP protocol in MS Windows Server 2008 SP2/R2 SP1, Win7 SP1, 8.1, RT 8.1, Server 2012/R2, Win10 Gold, 1511, 1607, 1703, 1709, Server 2016, 1709 - RCE\nhttps://github.com/preempt/credssp", "creation_timestamp": "2024-10-10T21:06:31.000000Z"}, {"uuid": "5bebf0f1-11d9-4cd2-ab2b-3122bb2cd2e3", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2018-0886", "type": "published-proof-of-concept", "source": "https://t.me/canyoupwnme/3595", "content": "credssp\nThis is a poc code for exploiting CVE-2018-0886.\nhttps://github.com/preempt/credssp/blob/master/README.md", "creation_timestamp": "2018-04-16T23:51:44.000000Z"}]}