CredSSP Remote Code Execution Vulnerability March 2018 Security Update - Nessus
High Plugin ID: 128764This page contains detailed information about the CredSSP Remote Code Execution Vulnerability March 2018 Security Update Nessus plugin including available exploits and PoCs found on GitHub, in Metasploit or Exploit-DB for verifying of this vulnerability.
Plugin Overview
ID: 128764
Name: CredSSP Remote Code Execution Vulnerability March 2018 Security Update
Filename: smb_nt_ms18_mar_credssp_cve_2018_0886.nasl
Vulnerability Published: 2018-03-13
This Plugin Published: 2019-09-13
Last Modification Time: 2019-09-24
Plugin Version: 1.2
Plugin Type: local
Plugin Family: Windows
Dependencies:
os_fingerprint.nasl, smb_hotfixes.nasl
Required KB Items [?]: Host/OS
Vulnerability Information
Severity: High
Vulnerability Published: 2018-03-13
Patch Published: 2018-03-13
CVE [?]: CVE-2018-0886
CPE [?]: cpe:/o:microsoft:windows
Synopsis
The remote Windows host is affected by a remote code execution vulnerability.
Description
The remote Windows host allows fallback to insecure versions of Credential Security Support Provider protocol (CredSSP). It is therefore, affected by a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could relay user credentials and use them to execute code on the target system. CredSSP is an authentication provider which processes authentication requests for other applications; any application which depends on CredSSP for authentication may be vulnerable to this type of attack. As an example of how an attacker would exploit this vulnerability against Remote Desktop Protocol, the attacker would need to run a specially crafted application and perform a man-in-the-middle attack against a Remote Desktop Protocol session. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by correcting how Credential Security Support Provider protocol (CredSSP) validates requests during the authentication process. To be fully protected against this vulnerability users must enable Group Policy settings on their systems and update their Remote Desktop clients.
Solution
Apply patches and / or mitigations as described by Microsoft.
Public Exploits
Target Network Port(s): 139, 445
Target Asset(s): N/A
Exploit Available: True (Exploit-DB, GitHub)
Exploit Ease: Exploits are available
Here's the list of publicly known exploits and PoCs for verifying the CredSSP Remote Code Execution Vulnerability March 2018 Security Update vulnerability:
- Exploit-DB: exploits/windows/remote/44453.md
[EDB-44453: Microsoft Credential Security Support Provider - Remote Code Execution] - GitHub: https://github.com/Ascotbe/Kernelhub
[CVE-2018-0886] - GitHub: https://github.com/DigitalRuby/IPBan
[CVE-2018-0886] - GitHub: https://github.com/Flerov/WindowsExploitDev
[CVE-2018-0886] - GitHub: https://github.com/cranelab/exploit-development
[CVE-2018-0886] - GitHub: https://github.com/jborean93/requests-credssp
[CVE-2018-0886] - GitHub: https://github.com/qazbnm456/awesome-cve-poc/blob/master/CVE-2018-0886.md
[CVE-2018-0886] - GitHub: https://github.com/ycdxsb/WindowsPrivilegeEscalation
[CVE-2018-0886] - GitHub: https://github.com/offensive-security/exploitdb-bin-sploits/blob/master/bin-sploits/44453.zip
[EDB-44453] - GitHub: https://github.com/preempt/credssp
[CVE-2018-0886: A code demonstrating CVE-2018-0886]
Before running any exploit against any system, make sure you are authorized by the owner of the target system(s) to perform such activity. In any other case, this would be considered as an illegal activity.
WARNING: Beware of using unverified exploits from sources such as GitHub or Exploit-DB. These exploits and PoCs could contain malware. For more information, see how to use exploits safely.
Risk Information
CVSS Score Source [?]: CVE-2018-0886
CVSS V2 Vector: AV:N/AC:H/Au:N/C:C/I:C/A:C/E:POC/RL:OF/RC:C
| CVSS Base Score: | 7.6 (High) |
| Impact Subscore: | 10.0 |
| Exploitability Subscore: | 4.9 |
| CVSS Temporal Score: | 6.0 (Medium) |
| CVSS Environmental Score: | NA (None) |
| Modified Impact Subscore: | NA |
| Overall CVSS Score: | 6.0 (Medium) |
| CVSS Base Score: | 7.0 (High) |
| Impact Subscore: | 5.9 |
| Exploitability Subscore: | 1.0 |
| CVSS Temporal Score: | 6.3 (Medium) |
| CVSS Environmental Score: | NA (None) |
| Modified Impact Subscore: | NA |
| Overall CVSS Score: | 6.3 (Medium) |
Go back to menu.
Plugin Source
This is the smb_nt_ms18_mar_credssp_cve_2018_0886.nasl nessus plugin source code. This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from the Microsoft Security Updates API. The text
# itself is copyright (C) Microsoft Corporation.
#
include("compat.inc");
if (description)
{
script_id(128764);
script_version("1.2");
script_cvs_date("Date: 2019/09/24 11:01:34");
script_cve_id("CVE-2018-0886");
script_bugtraq_id(103265);
script_name(english:"CredSSP Remote Code Execution Vulnerability March 2018 Security Update");
script_summary(english:"Checks for AllowEncryptionOracle registry value.");
script_set_attribute(attribute:"synopsis", value:
"The remote Windows host is affected by a remote code execution vulnerability.");
script_set_attribute(attribute:"description", value:
"The remote Windows host allows fallback to insecure versions of Credential Security
Support Provider protocol (CredSSP). It is therefore, affected by a remote code execution
vulnerability. An attacker who successfully exploited this vulnerability could relay user
credentials and use them to execute code on the target system. CredSSP is an authentication
provider which processes authentication requests for other applications; any application which
depends on CredSSP for authentication may be vulnerable to this type of attack. As an example
of how an attacker would exploit this vulnerability against Remote Desktop Protocol, the attacker
would need to run a specially crafted application and perform a man-in-the-middle attack against
a Remote Desktop Protocol session. An attacker could then install programs; view, change, or
delete data; or create new accounts with full user rights. The security update addresses the
vulnerability by correcting how Credential Security Support Provider protocol (CredSSP) validates
requests during the authentication process. To be fully protected against this vulnerability users
must enable Group Policy settings on their systems and update their Remote Desktop clients.");
# https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0886
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?f8ad7010");
# https://support.microsoft.com/en-us/help/4093492/credssp-updates-for-cve-2018-0886-march-13-2018
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?858298d1");
script_set_attribute(attribute:"solution", value:
"Apply patches and / or mitigations as described by Microsoft.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-0886");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2018/03/13");
script_set_attribute(attribute:"patch_publication_date", value:"2018/03/13");
script_set_attribute(attribute:"plugin_publication_date", value:"2019/09/13");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Windows");
script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("smb_hotfixes.nasl", "os_fingerprint.nasl");
script_require_keys("Host/OS");
script_require_ports(139, 445);
exit(0);
}
include('global_settings.inc');
include('misc_func.inc');
include('smb_func.inc');
include('audit.inc');
include('install_func.inc');
include('smb_hotfixes_fcheck.inc');
include('smb_reg_query.inc');
os = get_kb_item_or_exit('Host/OS');
if('Windows' >!< os) audit(AUDIT_OS_NOT, 'Windows');
if('2003' >< os || 'XP' >< os) exit(0, 'Windows 2003 and Windows XP don\'t support CredSSP.');
registry_init();
hklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE);
item = 'Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\CredSSP\\Parameters\\AllowEncryptionOracle';
value = get_registry_value(handle:hklm, item:item);
err = session_get_errorcode();
RegCloseKey(handle:hklm);
close_registry();
if (isnull(value))
{
# make sure NULL was returned solely due to the data not existing in the registry
if (err == ERROR_FILE_NOT_FOUND)
audit(AUDIT_HOST_NOT, 'affected. Registry key \'HKLM:\\\'' + item + ' not found.');
else
audit(AUDIT_FN_FAIL, 'get_registry_value', 'error code ' + error_code_to_string(err));
}
if (value != '2') audit(AUDIT_OS_CONF_NOT_VULN, os);
report = '\nValue name: HKLM\\' + item;
report += '\nValue data: 2';
security_report_v4(port:kb_smb_transport(), extra:report, severity:SECURITY_HOLE);
The latest version of this script can be found in these locations depending on your platform:
- Linux / Unix:
/opt/nessus/lib/nessus/plugins/smb_nt_ms18_mar_credssp_cve_2018_0886.nasl - Windows:
C:\ProgramData\Tenable\Nessus\nessus\plugins\smb_nt_ms18_mar_credssp_cve_2018_0886.nasl - Mac OS X:
/Library/Nessus/run/lib/nessus/plugins/smb_nt_ms18_mar_credssp_cve_2018_0886.nasl
Go back to menu.
How to Run
Here is how to run the CredSSP Remote Code Execution Vulnerability March 2018 Security Update as a standalone plugin via the Nessus web user interface (https://localhost:8834/):
- Click to start a New Scan.
- Select Advanced Scan.
- Navigate to the Plugins tab.
- On the top right corner click to Disable All plugins.
- On the left side table select Windows plugin family.
- On the right side table select CredSSP Remote Code Execution Vulnerability March 2018 Security Update plugin ID 128764.
- Specify the target on the Settings tab and click to Save the scan.
- Run the scan.
Here are a few examples of how to run the plugin in the command line. Note that the examples below demonstrate the usage on the Linux / Unix platform.
Basic usage:
/opt/nessus/bin/nasl smb_nt_ms18_mar_credssp_cve_2018_0886.nasl -t <IP/HOST>Run the plugin with audit trail message on the console:
/opt/nessus/bin/nasl -a smb_nt_ms18_mar_credssp_cve_2018_0886.nasl -t <IP/HOST>Run the plugin with trace script execution written to the console (useful for debugging):
/opt/nessus/bin/nasl -T - smb_nt_ms18_mar_credssp_cve_2018_0886.nasl -t <IP/HOST>Run the plugin with using a state file for the target and updating it (useful for running multiple plugins on the target):
/opt/nessus/bin/nasl -K /tmp/state smb_nt_ms18_mar_credssp_cve_2018_0886.nasl -t <IP/HOST>Go back to menu.
References
BID | SecurityFocus Bugtraq ID: See also:
- https://www.tenable.com/plugins/nessus/128764
- http://www.nessus.org/u?858298d1
- http://www.nessus.org/u?f8ad7010
- https://vulners.com/nessus/SMB_NT_MS18_MAR_CREDSSP_CVE_2018_0886.NASL
- 122847 - openSUSE Security Update : freerdp (openSUSE-2019-325)
- 121462 - openSUSE Security Update : freerdp (openSUSE-2019-96)
- 108284 - KB4088776: Windows 10 Version 1709 and Windows Server Version 1709 March 2018 Security Update
- 108285 - KB4088779: Windows 10 Version 1511 March 2018 Security Update
- 108286 - KB4088782: Windows 10 Version 1703 March 2018 Security Update
- 108288 - KB4088786: Windows 10 March 2018 Security Update
- 108289 - KB4088787: Windows 10 Version 1607 and Windows Server 2016 March 2018 Security Update
- 108290 - KB4088878: Windows 7 and Windows Server 2008 R2 March 2018 Security Update (Meltdown)(Spectre)
- 108291 - KB4088879: Windows 8.1 and Windows Server 2012 R2 March 2018 Security Update (Meltdown)(Spectre)
- 108292 - KB4088880: Windows Server 2012 March 2018 Security Update (Meltdown)(Spectre)
- 108300 - Security Updates for Windows Server 2008 (March 2018)
- 109651 - Security Updates for Windows Server 2008 (May 2018)
- 121302 - SUSE SLED12 Security Update : freerdp (SUSE-SU-2019:0134-1)
- 122608 - SUSE SLED15 / SLES15 Security Update : freerdp (SUSE-SU-2019:0539-1)
Version
This page has been produced using Nessus Professional 10.1.2 (#68) LINUX, Plugin set 202205072148.
Plugin file smb_nt_ms18_mar_credssp_cve_2018_0886.nasl version 1.2. For more plugins, visit the Nessus Plugin Library.
Go back to menu.
