[cve-2018-0886] Microsoft Changes CredSSP

[cocoon]

Hi there,
as I have not seen it here already:

As most of you might already know, there was a recent Windows Update that makes changes to Windows Servers and Clients (CredSSP + mstcs) that might cause troubles in near future.

I have tested and found one constellation that doesn't work:

Client: Windows 10 x64 fully updated

-> connects to XRDP/NeutrinoRDP -> connects to:

Server: Windows 2016 fully patched + GPO "Encryption Oracle Remediation" set to "Force Updated Clients"

Error: An internal error has occured.

A direct connection from Windows 10 to the Windows Server 2016 is working.

Microsoft Patch Notes + Coming changes:
https://support.microsoft.com/en-us/help/4093492/credssp-updates-for-cve-2018-0886-march-13-2018

There are already some commits in FreeRDP to support the new protocol:
Examples:
FreeRDP/FreeRDP#4499
FreeRDP/FreeRDP#4510
https://github.com/FreeRDP/FreeRDP/pull/4504/files

[metalefty]

Thank you for your notification. I'm still not sure if this issue affects xrdp itself.

Regarding NeutrinoRDP, this issue should affect. I'm trying to introduce FreeRDP 2.0 module instead of NeutrinoRDP as I commented last week: #1075 (comment)

[metalefty]

I don't intend to replace NeutrinoRDP with FreeRDP 2.0. Just adding an option for users.

[cocoon]

"I'm trying to introduce FreeRDP 2.0 module"
That is great, this should indeed solve some problems and to have it as additional option would be perfect, thanks!

[metalefty]

I can't promise the result but I also really need FreeRDP. I'll make my best effort.

[kylebrandt]

Was also able to verify cocoon's behavior withHKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters set to 0 (what the GPO changes). For reference https://msdn.microsoft.com/en-us/library/cc226764.aspx has the technical documentation of the Protocol changes.

[speidy]

@cocoon Thanks for pointing this out!
I'll look into this issue and update.

I'm curious if this issue occurs right after connecting xrdp or after the proxy module strats to connect to the remote server.

In general, xrdp doesn't support NLA, thus, doesn't implement the CredSSP protocol right now.

An issue might occur if mstsc client is forced to do the new CredSSP.
Otherwise, i don't see a reason for such error to occur when connecting to xrdp.
xrdp, when requested to do NLA, will fallback to plain TLS right now, if supported by config.

[speidy]

This is related to NeutrinoRDP's CredSSP implementation as @metalefty already said.
We should update the code there to support new CredSSP.

[metalefty]

@speidy
Windows 10 Insider Preview 1803 17661.1001 cannot connect to xrdp now.
Authentication error occurs with error code 0x80004005. Seems like CredSSP is forced.

[20180507-01:12:01] [INFO ] Socket 12: AF_INET6 connection received from MASKED port 50646
[20180507-01:12:01] [DEBUG] Closed socket 12 (AF_INET6 MASKED port 3389)
[20180507-01:12:01] [DEBUG] Closed socket 11 (AF_INET6 :: port 3389)
[20180507-01:12:01] [DEBUG] TLSv1.2 enabled
[20180507-01:12:01] [DEBUG] TLSv1.1 enabled
[20180507-01:12:01] [DEBUG] TLSv1 enabled
[20180507-01:12:01] [DEBUG] Security layer: requested 11, selected 1
ssl_tls_print_error: SSL_accept: Failure in SSL library (protocol error?)
trans_set_tls_mode: ssl_tls_accept failed
xrdp_sec_incoming: trans_set_tls_mode failed
xrdp_process_main_loop: libxrdp_process_incoming failed
ssl_tls_print_error: SSL_shutdown: Failure in SSL library (protocol error?)
[20180507-01:12:01] [DEBUG] Closed socket 12 (AF_INET6 MASKED port 3389)
xrdp_mcs_disconnect - socket closed

[metalefty]

Here's the screenshot. Means

• Authentication error occured (code: 0x80004005).
• Remote computer: foobar.example.com

[metalefty]

It turned out the 0x80004005 issue is not the CredSSP issue. The latest Win 10 Insider Preview requires ECDHE- cipher suites. However, xrdp v0.9.5 or before + OpenSSL 1.0.x cannot use ECDHE-. Thus cipher suite negotiation fails. Updating to v0.9.6 solves my issue.

Please forget it.

[speidy]

this issue is pure NeutrinoRDP issue. it better be reported there.
It requires supporting CredSSPv6 in NeutrinoRDP.

A quick workaround for proxy mode can be disable NLA in proxy module, so the client requests TLS only.

ref: https://github.com/neutrinolabs/xrdp/blob/devel/neutrinordp/xrdp-neutrinordp.c#L1591-L1599