Even after users change their account password, however, it remains valid for RDP logins indefinitely. In some cases, Wade reported, multiple older passwords will work while newer ones won’t. The result: persistent RDP access that bypasses cloud verification, multifactor authentication, and Conditional Access policies.

  • wizardbeard@lemmy.dbzer0.com
    link
    fedilink
    English
    arrow-up
    13
    ·
    edit-2
    10 hours ago

    This is someone trying to spin a CVE out of the way Windows has handled password caching for literal decades. If it can’t reach the IDP, it allows you to log in using the last confirmed valid password.

    Of course CA won’t work if you can’t reach Entra to pull them. Of course the machine can’t require you to use the newest password if it can’t reach AD to check against it instead of the cached one. This is basic fucking functionality that any serious Windows admin should already be familiar with.

    It’s definitely an interesting edge case where you can’t reach Entra or AD but the device can still be reached by RDP, but this “security hole” is literally what the caching is meant for. Maintaining the ability to access the machine if the IDP isn’t reachable.

    It’s how almost any org using AD as their IDP allows users to log in from home before they are connected to VPN. Microsoft isn’t going to break that functionality.

    In an ideal world, there would be separate password caching controls for every combo of AD/Entra/Other IDP and local/remote, but here in the real world this functionality can be controlled by the same controls for it that have been around for literal decades. In an ideal world, there’d also be ways for CA policies to be cached and enforced locally if Entra isn’t reachable, but here we are.

    Also, shame on Ars Technica for not linking the actual research, and for being as vague as fucking possible about the details in service of making this clickbait.

    • Kissaki@programming.devOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      5 hours ago

      If it can’t reach the IDP

      But also when being able to reach the IDP, no?

      I don’t see how being able to use passwords previous to the previous makes any sense even with that in mind.

      When the PC can connect to the IDP, I would expect it to validate against that one and only that one.