In March 2018, Microsoft released a security update that fixes a remote code execution vulnerability in the Credential Security Support Provider Protocol (CredSSP). This vulnerability (CVE-2018–0886) allows an attacker to remotely execute arbitrary code on a vulnerable Windows host with an open RDP port (TCP/3389). Any app that used the CredSSP provider for authentication may be vulnerable to this type of attack. In May 2018, an update “2018-05 Security only/Monthly Rollup” was released. It blocks the RDP connection to computers with an affected version of CredSSP.
When you try to connect to a remote computer with a vulnerable CredSSP version from Windows 10/Windows Server 2016, you receive the Remote Desktop Connection error:
An authentication error has occurred.
The function is not supported.
Remote Computer: hostname
This could be due to CredSSP encryption oracle remediation.
For more information, see the link.
On Windows 7, the CredSSP error looks like this:
An authentication error has occurred.
The function requested is not supported.
Remote computer: hostname
Note. CredSSP protocol (Credential Security Support Provider) is a built-in Windows authentication provider that handles authentication requests from other services and applications.
To fix This could be due to credssp encryption oracle remediation error, you need to install the latest Windows security updates on the remote computer. You can install the latest Cumulative Update for your Windows version. You can download the update manually via Microsoft Update Catalog or install it via Windows Update or WSUS.
Hint. CredSSP authentication error appears only when you try to connect via RDP from a computer on which the latest security updates are installed to a non-updated computer (for example, a computer that never gets updates, or a clean installed device with a Windows 10/Windows Server 2016 build that was released before March 2018).
There is a workaround allowing you to temporarily connect to a computer with a vulnerable version of CredSSP. For example, you made a clean install of Windows Server 2016 to a virtual machine or physical host and now you want to remotely connect to the server to configure Windows Update/WSUS settings and install Windows security updates.
To do this, you need to configure a special Group Policy parameter named Encryption Oracle Remediation on your computer from which you are establishing the Remote Desktop connection.
- Press Win+R, type gpedit.msc, and press Enter;
- Go to the following section of the Local Group Policy Editor: Computer Configuration > Administrative Templates > System > Credentials Delegation;
- Open the policy setting Encryption Oracle Remediation;
- Change its state to Enabled, and set Vulnerable in the Protection Level field;
- Update the Group Policy settings using the command:
Hint. You can also allow your computer to connect to a host with vulnerable versions of CredSSP through the registry. Run the following command through an elevated command prompt:reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters /f /v AllowEncryptionOracle /t REG_DWORD /d 2
Now you can connect to the remote host via RDP and install the updates.
There are 3 options in the “Encryption Oracle Remediation” policy:
- Vulnerable — the client can connect to vulnerable computers;
- Mitigated — the client cannot connect to vulnerable servers, but the servers can allow vulnerable clients to connect;
- Force Updated Clients — secure RDP CredSPP interoperability layer.
If from a computer that doesn’t have the CredSPP security update installed you can’t connect to an updated RDP/RDS host with the “Force updated clients” option enabled, you can allow the server to accept connections with an affected version of CredSPP. To do this, you need to enable the policy with the Mitigated value on the server. In this way, to make changes to the server you can remotely connect to it via PowerShell under admin credentials:
Enter-PSSession -ComputerName RDSServer01 -Credential RDSServer01\administrator
And allow the connection:
Set-ItemProperty -Path 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters' -name "AllowEncryptionOracle" 2 -Type DWord
Another way to quickly connect to a host with a vulnerable CredSSP version is to disable Network Level Authentication (NLA) for RDP connections. To do this:
- Open System Properties by running the sysdm.cpl command;
- Go to the Remote tab and disable the option Allow connections only from computers running Remote Desktop with Network Level Authentication (recommended
- Save your changes by clicking OK.
You can also disable NLA for RDP connection using the PowerShell command:
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "UserAuthentication" -Value 0
Now you will be able to connect to the remote host via RDP, but this is not a security solution. After that, you need to go to Settings > Update and Security > Windows Update (you can go to this section by running the command ms-settings:windowsupdate). Click on the Check for Updates button. Wait for Windows to download and install the latest security updates.
Here we collected direct links to download MSU updates (security-only updates) that fix the CredSSP vulnerability for older versions of Windows:
- Windows Server 2016 and Windows 10 LTSB — KB4103723
- Windows Server 2012 R2 and Windows 8.1 — KB4103715
- Windows Server 2008 R2 SP1 and Windows 7 Service Pack 1 — KB4103712
Note. Old Windows 10 builds such as 1507 (original release, RTM) and 1511 don’t have security patches to fix the CredSSP CredSSP Oracle remediation vulnerability. The fact is that the period of support for these Windows 10 builds ended in 2018 and no new updates have been released for them since that time. Update your Windows 10 to the latest build available.
After upgrading, don’t forget to disable the policy or reset the AllowEncryptionOracle registry value to its original value:
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters /f /v AllowEncryptionOracle /t REG_DWORD /d 0
And enable NLA (if you disabled it earlier):
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-TCP" /v UserAuthentication /t REG_DWORD /d 1 /f
In all cases, Microsoft always recommends installing the latest Windows updates on both the RDP server and the client.