A recently discovered vulnerability in Microsoft’s remote desktop protocol (RDP) goes back to Windows Server 2012 R2 and lets anyone who can connect to an RDP session gain near total control over other RDP users, launching a man-in-the-middle attack.
Discovered by security researchers at CyberArk, the vulnerability has already been disclosed to Microsoft, which has in turn released a security update to fix it. Let that be your first warning: If your organization uses RDP, be sure you update affected systems as soon as possible.
The vulnerability occurs due to several factors, and “enables any standard unprivileged user connected to a remote machine via remote desktop to gain file system access to the client machines of other connected users, to view and modify clipboard data of other connected users, and to impersonate the identity of other users logged on to the machine using smart cards,” said the report’s author, Gabriel Sztejnworcel.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
To briefly explain, RDP uses logical connections called “pipes” to split a single connection into various virtual channels. For example, when a user connects to RDP, different pipes are created to handle visual output, drive mapping, the clipboard, user input and other types of data.
Each of the pipes that an RDP server creates are named, and depending on the security settings of a pipe, duplicates with the same name can be created to handle multiple simultaneous connections. Names all start with TSVCPIPE and are followed with a GUID for the particular service that is randomly generated at creation, and each session uses the same named pipe.
Herein lies the problem: “It turns out that the TSVCPIPE security descriptor allows any user to create pipe server instances of the same name. Moreover, the data is sent over the pipes in clear text and without any integrity checks,” the report said.
So, if an attacker can connect to RDP, all they need to do is create a duplicate pipe and wait for a new connection. RDP automatically connects to the service that was created first, so when a new user connects, the existing malicious pipe will be the one their machine automatically connects to. At that point, the attacker controls both ends of the pipe and can read, pass and modify data between the client and host.
In testing, Sztejnworcel said his team was able to use the vulnerability to gain access to a victim’s drives and files, as well as hijacking smart cards used for login to impersonate users and escalate privileges.
How worried should you be about your vulnerable RDP?
Chris Clements, VP of solutions architecture at cybersecurity firm Cerberus Sentinel, said that, while the vulnerability is serious, it’s offset by the fact that an attacker has to already have gained access to an organization’s RDP service to initiate the attack.
Clements warns that, even with that caveat, there’s still cause for concern, especially for organizations that have an internet-facing RDP system that acts as a shared terminal with multiple simultaneous connections. “An attacker that was able to gain access to even a low-privileged account could exploit this vulnerability to pivot throughout the victim’s organization and cause significant damage,” Clements said.
Erich Kron, a security awareness advocate at KnowBe4, said the COVID-19 crisis and the shift to remote work have given bad actors a lot of new opportunities to exploit this vulnerability that they may not have had before. Websites like Shodan.io, which maps internet-connected devices into a searchable database, make the potential for misuse even higher, he said.
SEE: Google Chrome: Security and UI tips you need to know (TechRepublic Premium)
It’s worth noting that Shodan has legitimate uses, and it’s not a free service. That said, anyone who really wants to use it for nefarious purposes probably isn’t stopped by the need to fork over the $59 needed for a month of access.
“Whenever using RDP for remote access to their network, and especially with this vulnerability active, organizations should consider making any current RDP services only available through a VPN, removing direct access to the internet,” Kron said.
Kron also recommends the same things security professionals and business leaders have been hearing for years: Enable multi factor authentication, log all failed connection attempts and review them regularly, and train employees in good password practices and security habits.