Applies ToWindows Server 2016, all editions Windows Server 2012 R2 Standard Windows Server 2012 Standard Windows 8.1 Windows 10 Windows 7 Windows 10, version 1511, all editions Windows 10, version 1607, all editions Windows 10, version 1703, all editions Windows 10, version 1709, all editions Windows Server 2016 Windows Server 2008 R2 Standard Windows Server 2008 Foundation Windows Server 2008 Enterprise without Hyper-V Windows Server 2008 Service Pack 2 Windows Server 2008 Datacenter Windows Server 2008 for Itanium-Based Systems Windows Server 2008 Datacenter without Hyper-V Windows Server 2008 Enterprise Windows Server 2016 Standard Windows Server 2016 Essentials Windows Server 2016 Windows Server version 1709 Windows Server version 1803 Windows Vista Service Pack 2 Windows Server 2008 R2 Enterprise Windows Server 2008 R2 Datacenter Windows Server 2008 R2 Web Edition Windows 7 Enterprise Windows 7 Ultimate Windows 7 Starter Windows 7 Home Premium Windows 7 Professional Windows 7 Home Basic Windows Server 2008 R2 Foundation Windows Server 2008 R2 Service Pack 1 Windows 7 Service Pack 1 Windows Server 2012 Essentials Windows Server 2012 Datacenter Windows Server 2012 Foundation Windows Server 2012 R2 Datacenter Windows Server 2012 R2 Essentials Windows RT 8.1 Windows Server 2012 R2 Foundation Windows 8.1 Pro Windows 8.1 Enterprise Windows Server 2008 Web Edition Windows Server 2008 Standard

Summary

Credential Security Support Provider protocol (CredSSP) is an authentication provider that processes authentication requests for other applications. A remote code execution vulnerability exists in unpatched versions of CredSSP. An attacker who successfully exploits this vulnerability could relay user credentials to execute code on the target system. Any application that depends on CredSSP for authentication may be vulnerable to this type of attack.

This security update addresses the vulnerability by correcting how CredSSP validates requests during the authentication process.

To learn more about the vulnerability, see CVE-2018-0886.

Updates

March 13, 2018

The initial March 13, 2018, release updates the CredSSP authentication protocol and the Remote Desktop clients for all affected platforms. Mitigation consists of installing the update on all eligible client and server operating systems and then using included Group Policy settings or registry-based equivalents to manage the setting options on the client and server computers. We recommend that administrators apply the policy and set it to  “Force updated clients” or “Mitigated” on client and server computers as soon as possible.  These changes will require a reboot of the affected systems. Pay close attention to Group Policy or registry settings pairs that result in “Blocked” interactions between clients and servers in the compatibility table later in this article.

April 17, 2018

The Remote Desktop Client (RDP) update update in KB 4093120 will enhance the error message that is presented when an updated client fails to connect to a server that has not been updated.

May 8, 2018

An update to change the default setting from Vulnerable to Mitigated.

Related Microsoft Knowledge Base numbers are listed in CVE-2018-0886.

By default, after this update is installed, patched clients cannot communicate with unpatched servers. Use the interoperability matrix and group policy settings described in this article to enable an “allowed” configuration.

Group Policy

Policy path and setting name

Description

Policy path: Computer Configuration -> Administrative Templates -> System -> Credentials Delegation Setting name: Encryption Oracle Remediation

Encryption oracle remediation

This policy setting applies to applications that use the CredSSP component (for example, Remote Desktop Connection).

Some versions of the CredSSP protocol are vulnerable to an encryption oracle attack against the client. This policy controls compatibility with vulnerable clients and servers. This policy allows you to set the level of protection that you want for the encryption oracle vulnerability.

If you enable this policy setting, CredSSP version support will be selected based on the following options:

Force Updated Clients – Client applications that use CredSSP will not be able to fall back to insecure versions, and services that use CredSSP will not accept unpatched clients.

Note This setting should not be deployed until all remote hosts support the newest version.

Mitigated – Client applications that use CredSSP will not be able to fall back to insecure versions, but services that use CredSSP will accept unpatched clients.

Vulnerable – Client applications that use CredSSP will expose the remote servers to attacks by supporting fallback to insecure versions, and services that use CredSSP will accept unpatched clients.

 

The Encryption Oracle Remediation Group Policy supports the following three options, which should be applied to clients and servers:

Policy setting

Registry value

Client behavior

Server behavior

Force updated clients

0

Client applications that use CredSSP will not be able to fall back to insecure versions.

Services using CredSSP will not accept unpatched clients.Note This setting should not be deployed until all Windows and third-party CredSSP clients support the newest CredSSP version.

Mitigated

1

Client applications that use CredSSP will not be able to fall back to insecure versions.

Services that use CredSSP will accept unpatched clients.

Vulnerable

2

Client applications that use CredSSP will expose remote servers to attacks by supporting fallback to insecure versions.

Services that use CredSSP will accept unpatched clients.

 

A second update, to be released on May 8, 2018, will change the default behavior to the “Mitigated” option.

Note Any change to Encryption Oracle Remediation requires a reboot.

Registry value

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

The update introduces the following registry setting:

Registry path

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters

Value

AllowEncryptionOracle

Date type

DWORD

Reboot required?

Yes

Interoperability matrix

Both the client and server need to be updated, or Windows and third-party CredSSP clients may not be able to connect to Windows or third-party hosts. See the following interoperability matrix for scenarios that are either vulnerable to the exploit or cause operational failures.

Note When connecting to a Windows Remote Desktop server, the server can be configured to use a fallback mechanism that employs the TLS protocol for authentication, and users may get different results than described in this matrix. This matrix only describes the behavior of the CredSSP protocol.

 

 

Server

Unpatched

Force updated clients

Mitigated

Vulnerable

Client

Unpatched

Allowed

Blocked

Allowed

Allowed

Force updated clients

Blocked

Allowed

Allowed

Allowed

Mitigated

Blocked

Allowed

Allowed

Allowed

Vulnerable

Allowed

Allowed

Allowed

Allowed

 

Client setting

CVE-2018-0886 patch status

Unpatched

Vulnerable

Force updated clients

Secure

Mitigated

Secure

Vulnerable

Vulnerable

Windows event log errors

Event  ID 6041 will be logged on patched Windows clients if the client and remote host are configured in a blocked configuration.

Event log

System

Event source

LSA (LsaSrv)

Event ID

6041

Event message text

A CredSSP authentication to <hostname> failed to negotiate a common protocol version. The remote host offered version <Protocol Version> which is not permitted by Encryption Oracle Remediation.

Errors generated by CredSSP-blocked configuration pairs by patched Windows RDP clients

Errors presented by the Remote Desktop Client without the April 17, 2018 patch (KB 4093120)

Unpatched pre-Windows 8.1 and Windows Server 2012 R2 clients paired with servers configured with “Force Updated Clients”

Errors generated by CredSSP-blocked configuration pairs by patched Windows 8.1/Windows Server 2012 R2 and later RDP clients

An authentication error has occurred.

The token supplied to the function is invalid

An authentication error has occurred.

The function requested is not supported.

Errors presented by the Remote Desktop Client with the April 17, 2018 patch (KB 4093120)

Unpatched pre-Windows 8.1 and Windows Server 2012 R2 clients paired with servers configured with “Force Updated Clients”

These errors are generated by CredSSP-blocked configuration pairs by patched Windows 8.1/Windows Server 2012 R2 and later RDP clients.

An authentication error has occurred.

The token supplied to the function is invalid.

An authentication error has occurred.

The function requested is not supported.

Remote computer: <hostname>

This could be due to CredSSP encryption oracle remediation.

For more information, see https://go.microsoft.com/fwlink/?linkid=866660

Third-party remote desktop clients and servers

All third-party clients or servers must use the latest version of the CredSSP protocol. Please contact the vendors to determine if their software is compatible with the latest CredSSP protocol.

The protocol updates can be found on the Windows Protocol Documentation site.

File changes

The following system files have been changed in this update.

  • tspkg.dll

The credssp.dll file remains unchanged. For more information please review the relevant articles for file version information.

Facebook LinkedIn Email
SUBSCRIBE RSS FEEDS

Need more help?

Want more options?

Discover Community

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Microsoft 365 subscription benefits

Microsoft 365 training

Microsoft security

Accessibility center

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.

Ask the Microsoft Community

Microsoft Tech Community

Windows Insiders

Microsoft 365 Insiders