Microsoft CVE-2018-0886 - Return of the CredSSP

Is anyone else seeing a significant uptick in the number of systems vulnerable to CVE-2018-0886? Rapid7 seems to have updated their check for this vulnerability, but I cannot find any way to confirm this. I distinctly remember there used to be a registry check for the “AllowEncryptionOracle” setting, but now I’m only getting a Windows version check and UBR value in the Proof for this vulnerability.


The Rapid7 Entry for this CVE says that it was last modified on June 29th, But I don’t know of any chagelog that describes what was updated:


Hey @anthony_onorati - I checked with our teams on this one to get some more info, since there isn’t a specific CVE changelog. Over the past few months we’ve been updating a lot of these particular types of checks to help resolve the false positives some folks have reported. Unfortunately this introduced some more false positives - we think because of the way Microsoft handles the base vulnerable library when a feature is disabled (and we currently don’t account for whether a feature is enabled/disabled). But it’s possible that this has resulted in the uptick that you’ve mentioned here.

We’re planning on reverting the changes to these checks due to these new false positives. I’m still looking to confirm whether the revert has been completed yet, but ideally once it is you can update your content and re-scan to see if these vulns have been remediated. If you’re looking for some more detailed info on the issue, I believe our Support team can provide that as well, if you do want to reach out.

It looks like the changes with regards to these Microsoft checks have been released, so folks should be able to update and do a re-scan to see if the associated vulns were remediated.