So if I understand that correctly that cache is never updated again after it is initially created? Wouldn’t that lead to a lot of issues when the online account has its password changed in terms of the new password not working too? Something seems to be missing from this article.
Even after users change their account password, however, it remains valid for RDP logins indefinitely. In some cases, [independent security researcher Daniel] Wade reported, multiple older passwords will work while newer ones won’t.
Yeah, but “some cases” is extremely vague. If it is indeed cached indefinitely under all circumstances I would expect changed passwords to never work at all.
If it is just “some cases” it could be anything from the system using a stale cache just when it can not reach the online server (reasonable) over caches still being in some kind of TTL period to some sort of bug.
“We originally looked at a code change for this issue, but after further review of design documentation, changes to code could break compatibility with functionality used by many applications.”
Year of the Linux (Server|Desktop). Seriously. If you are in IT pls look into this (and hide your RDP server behind some VPN. No not MS RDP Gateway.)
Anyone who isn’t doing this already is dumb. Same goes for exposing ssh publicly. I don’t care that you’re using a cert to log in, if there’s a 0 day in the openssh server you’re boned
So if I understand that correctly that cache is never updated again after it is initially created? Wouldn’t that lead to a lot of issues when the online account has its password changed in terms of the new password not working too? Something seems to be missing from this article.
That is addressed in the article
Yeah, but “some cases” is extremely vague. If it is indeed cached indefinitely under all circumstances I would expect changed passwords to never work at all.
If it is just “some cases” it could be anything from the system using a stale cache just when it can not reach the online server (reasonable) over caches still being in some kind of TTL period to some sort of bug.
Year of the Linux (Server|Desktop). Seriously. If you are in IT pls look into this (and hide your RDP server behind some VPN. No not MS RDP Gateway.)
Anyone who isn’t doing this already is dumb. Same goes for exposing ssh publicly. I don’t care that you’re using a cert to log in, if there’s a 0 day in the openssh server you’re boned