Latest Windows systems where remote desktop sessions use network level authentication
An attacker could hijack existing remote desktop service sessions in order to gain access to a computer.(CVE-2019-9510)
Advisory today from CERT|CC at the Carnegie Mellon University software engineering institute warns that session locking can behave in an unexpected way on the latest Windows systems where remote desktop sessions use NLA.
Even if a user specifically locks a windows machine during a RDP session, if the session temporarily disconnected, automatic re-connection restores the session to an unlock state regardless of how remote desktop system was left.
Since the NLA is enabled, attacker requires physical access to such a targeted system (ex ‐ active sessions with the locked screen), this will limit the attack surface to a greater extend.
✦ A target user connects to a Windows 10 or Server 2019 via RDP
✦ User locks the remote session and leaves the client device unattended
✦ An attacker with the access to the client device can interrupt its network connectivity and gain access to the remote system without credentials
✦ Stealing sensitive and private information
✦ Store or install malicious software or programs
✻ Update the latest version of the Mozilla's Firefox on Windows, Linux and Mac.
The information provided herein is on "as is" basis, without warranty of any kind.