An authentication error has occurred. The function requested is not supported. This could be due to CredSSP encryption oracle remediation. CVE-2018-0886

Problem:

I’ve been working furiously on some Citrix XenApp stuff recently on shiny new Server 2016 boxes.  Yesterday was a productive day and all was well.  With it also being Patch Tuesday and my machines part of the Patient Zero Device Collection targeted for updates I received May’s patches last night/this morning.

Today, when I attempted to RDP into Server 2016 boxes I received the following error:

CredSSPOracle

[Window Title]
Remote Desktop Connection

[Content]
An authentication error has occurred.
The function requested is not supported

Remote computer: <remote computer>
This could be due to CredSSP encryption oracle remediation.
For more information, see https://go.microsoft.com/fwlink/?linkid=866660

[OK]

Cause:

This is intentional and I urge you to direct your attention to the URL in the message: https://go.microsoft.com/fwlink/?linkid=866660

Cliff’s Notes version of the cause from the article:

  • The initial March 13, 2018, release updated the CredSSP authentication protocol but did NOT enforce the new version of the CredSSP protocol.
  • The April 17, 2018, Remote Desktop Client (RDP) update in KB 4093120 enhances the error message that is presented when an updated client fails to connect to a server that has not been updated.
  • The May 8, 2018, update makes the new updates CredSSP protocol mandatory.
    This intentional change adjusts the default setting from ‘Vulnerable’ to ‘Mitigated’.

Solution:

In reviewing the interoperability matrix there are only a few blocked scenarios:

  1. Server Patched ‘Force updated clients’ + Clients Unpatched = Blocked
  2. Server Unpatched + Clients Patched ‘Force updated clients’ = Blocked
  3. Server Unpatched + Clients Patched ‘Mitigated’ = Blocked

Well I know my client is patched so that rules out Scenario 1, making it clear our Server 2016 servers are missing KB 4103723.

Solution: Patch your servers!

Fauxlution

This is not a solution.  It’s a fake solution or as I like to call them faux-lutions.

So is there a workaround?  Sure.  So in my particular scenario, I would set the patched client(s) to ‘Vulnerable’  which means that I would then be exposing remote servers to attacks by supporting fallback to insecure versions.

Arguments can be made either way to justify this but I don’t think its wise:

  • It negatively affects our security posture
  • I’m human thus prone to forgetting things and then I’ll never undo it.

I’d rather submit an emergency change request to patch the servers.

In fact, Microsoft’s recommendation is to set AllowEncryptionOracle on clients and server computers as soon as possible to one of the following:

  • Force updated clients = 0
  • Mitigated = 1

But if you want to go down this slippery slope at your own risk, set on your patched client(s), set AllowEncryptionOracle to 2 and you’ll be able to connect to your unpatched server(s):


reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters" /v AllowEncryptionOracle /d 2 /t reg_dword

The documentation states a reboot is required but in testing, a reboot is not required.

References:

  1. CVE-2018-0886 | CredSSP Remote Code Execution Vulnerability
  2. Windows 10 1803 May 8, 2018—KB4103721 (OS Build 17134.48)
  3. Windows 10 1709 May 8, 2018—KB4103727 (OS Build 16299.431)
  4. Windows 10 1703 May 8, 2018—KB4103731 (OS Build 15063.1088)
  5. Windows 10 1607 & Server 2016 May 8, 2018—KB4103723 (OS Build 14393.2248)

 

Whatever route you take, I bid you Good Providence!

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s