Remote Desktop Zero-Day Bug Allows Attackers to Hijack Sessions

[silversurfer]

A new zero-day vulnerability has been disclosed that could allow attackers to hijack existing Remote Desktop Services sessions in order to gain access to a computer.
 
The flaw can be exploited to bypass the lock screen of a Windows machine, even when two-factor authentication (2FA) mechanisms such as Duo Security MFA are used. Other login banners an organization may set up are also bypassed.
 
The issue is now tracked as CVE-2019-9510 and is described as an authentication bypass using an alternate path or channel.
 
An advisory today from the CERT Coordination Center at the Carnegie Mellon University Software Engineering Institute (SEI), warns that session locking can behave in an unexpected way on the latest Windows systems where remote desktop sessions use NLA.
 
Even if a user specifically locks a Windows machine during an RDP session, if the session is temporarily disconnected, automatic reconnection restores the session to an unlocked state, "regardless of how the remote system was left." This affects Windows 10 starting version 1803 and Server 2019 or newer.

SOURCE: https://www.bleepingcomputer.com/news/se...-sessions/