Tagged as CVE-2019-9510, the flaw affects Windows Remote Desktop Protocol NLA, which would allow for attackers to work around the Windows lock screen and gain access without prior approval. Any system running Windows 10 1803 or later can become victim to the vulnerability. Researchers noticed a strange behavior when attempting to lock sessions. Anytime RDP connections were restarted, remote systems with an active Windows lock screen could be bypassed without credentials, even ones that had implemented 2FA. A portion of a security advisory by researchers read, “It is important to note that this vulnerability is with the Microsoft Windows lock screen’s behavior when RDP is being used, and the vulnerability is present when no MFA solutions are installed. While MFA product vendors are affected by this vulnerability, the MFA software vendors are not necessarily at fault for relying on the Windows lock screen to behave as expected.” Microsoft has not yet released a fix for the flaw but there should be more information during this month’s patch Tuesday.
Analyst Notes
Suggested workarounds for this vulnerability until Microsoft releases a patch include protecting access to RDP client systems and disconnecting RDP sessions versus attempting to lock them. This would discredit the session that was previously ongoing and would prevent an automation reconnection.
