New Windows zero-day flaw enables attackers to hijack active Remote Desktop sessions

• It can let attackers bypass Windows lock screen in systems, even those having two-factor authentication.
• The zero-day affects Windows 10 version 1803 and subsequent versions as well as Windows Server 2019.

A zero-day vulnerability has been discovered that impacts Windows systems with active Remote Desktop Protocol (RDP) sessions. Tracked as CVE-2019-9510, the vulnerability lies in Windows RDP Network Level Authentication(NLA) that allows attackers to bypass Windows lock screen and permit unauthorized access to the system. Systems with Windows 10 (version 1803 or later) and Server 2019 are affected by this authentication bypass flaw.

The big picture

• An advisory published by CERT Coordination Center, Carnegie Mellon University indicates that NLA-based RDP sessions had an unexpected behavior when it came to session locking.
• This led to an ‘unlocked’ condition of the system every time RDP connections were reinitiated regardless of how the system was left. In essence, remote systems with activated Windows lock screen could be unlocked without requiring credentials.
• Due to this flaw, two-factor authentication (2FA) mechanisms such as Duo Security MFA, could also be bypassed.
• As of now, there are no security patches provided by Microsoft to remediate this zero-day. However, the advisory suggests a few workarounds to prevent the flaw.

Worth noting

The advisory suggested that the flaw was due to the lock screen behavior when RDP sessions were active.

“It is important to note that this vulnerability is with the Microsoft Windows lock screen's behavior when RDP is being used, and the vulnerability is present when no MFA solutions are installed. While MFA product vendors are affected by this vulnerability, the MFA software vendors are not necessarily at fault for relying on the Windows lock screen to behave as expected,” read the advisory.