Microsoft recently released patches for several vulnerabilities -- one of which is a critical bug for Windows' Remote Desktop Protocol (RDP) which stands a high probability of being exploited . Based on our experience in the field and previous penetration tests, Hacklabs believe that;
- Approximately 98% of all organisations run RDP internally
- 30% have RDP on an Internet facing Windows host.
Additionally, we anticipate that attackers will begin reverse engineering the patch immediately and subsequently attacks in the wild can be expected shortly. MS12-020 is an patch update for a vulnerability which exists within RDP which allows for unauthenticated remote code execution at the default privilege level that RDP normally runs for (SYSTEM on most Windows machines). The vulnerability has been assigned a CVE number CVE-2012-0002.
The Microsoft advisory has suggested that this patch be applied urgently , in anticipation that attacks against it will begin occurring in the not too distant future. Those with Automated Updates enabled will automatically receive the patch.
We suspect this will affect both small and large orgainsations equally. This is due to;
- Small business make use of Cloud Servers more frequently which use RDP (aka Terminal Services) to access the destop of the server. This means by design often it is internet facing.
- Many orgainsations - both large and small - use RDP extensively for management inside an internal network.
As a mitigating control, Microsoft have suggested that customers consider applying Network Level Authentication (NLA) however this will prevent older machines running Windows 2003 or Windows XP from connecting. However this mitigation does not eliminate the need to patch the machines as the vulnerable code is still present, it still requires an attacker to successfully authenticate first. Windows XP users simply need to download and enable CredSSP in order to authenticate to these hosts. Unfortunately there is no CredSSP support for Windows 2003.
HackLabs recommends that all clients test and apply this patch urgently. As part of a sound "defence-in-depth" strategy, Windows servers running RDP should not be directly Internet facing but rather reside behind a firewall, VPN or suitably hardened bastion gateway which directly limits connectivity to authorised users and networks only. Those running a Terminal Services Gateway should explore options for restricting access to the host to known and trusted networks and hosts if they have not already done so.
- MS12-020: Vulnerabilities in Remote Desktop could allow remote code execution: March 13, 2012:
- CVE-2012-0002: A closer look at MS12-020's critical issue
- Configure Network Level Authentication for Remote Desktop Services Connections