What is it?
Remote Desktop Protocol (RDP) allows a remote computer to take control of a computer in your network. RDP comes pre-installed for Microsoft Windows but can also be used with Apple OSX computers. RDP is used by many to work-from-home; it’s also used by IT support departments to perform remote maintenance and troubleshooting. RDP uses port 3389.
Credential Security Support Provider (CredSSP) is a part of the authentication process used when logging in remotely. CredSSP is used on Microsoft Windows servers.
Why is it a risk?
Certain versions of CredSSP have a bug that allows an attacker to bypass authentication and run commands on the remote computer.
How can you mitigate the risk?
The best approach is to not allow RDP across the Internet using firewall rules; either disallow all traffic on port 3389 or limit access to specific IP addresses or Mac Addresses.
A software update for this specific vulnerability was released in March 2018 (with an update in April 2018 that improves error reporting). Note: Updated clients will not be able to communicate with non-updated servers
Keeping your Microsoft Windows server operating system up-to-date or patched is a good practice. If you have a current Microsoft service account, then you can update to the latest version. If not, then you can still apply patches that address specific vulnerabilities, see the link below.
The University of California Berkley link below provides excellent advice on securing RDP.
The United States CISA link below provides information about the most recent, high risk, vulnerabilities.
Resources:
Microsoft CredSSP Update
https://support.microsoft.com/en-us/topic/credssp-updates-for-cve-2018-0886-5cbf9e5f-dc6d-744f-9e97-7ba400d6d3ea
Microsoft Updates (requires Internet Explorer)
https://update.microsoft.com
UC Berkley Guide to securing RDP
https://security.berkeley.edu/education-awareness/best-practices-how-tos/system-application-security/securing-remote-desktop-rdp
US Cybersecurity and Infrastructure Security Agency (CISA)
https://us-cert.cisa.gov/ncas/alerts/aa20-014a