Critical Remote Desktop Flaw Identified in Microsoft Windows Operating Systems
A newly discovered vulnerability in the Microsoft Remote Desktop Protocol has been announced, along with a corresponding patch for Windows XP, 7, 2003, 2008, and 2008 R2. Successful exploitation of this vulnerability is possible via a remote unauthenticated attacker, with no user interaction. This represents the most severe class of vulnerabilities, in that an attacker can execute code (i.e. malware) on a system with elevated privileges, simply by sending crafted RDP packets to a vulnerable system.
The security industry is drawing many corollaries between this newly identified vulnerability, and the MS17-010 (ETERNALBLUE) vulnerability that allowed the global spread of the WannaCry ransomware several years ago. Similar to WannaCry, this vulnerability is “wormable”, meaning once compromised, the target system can be used to identify additional vulnerable systems and exploit them automatically. For example, one vulnerable RDP server exposed directly to the internet can lead to complete compromise of the internal network. Once the internet-facing system is compromised, it may become a pivot-point into the internal network, where many RDP services are available for exploitation.
In fact, this vulnerability may even be more severe than the MS17-010 vulnerability exploited to spread WannaCry. MS17-010 relied on a vulnerability in the Server Message Block protocol (port 445), which is sometimes, but not often, exposed directly to the internet. The newly identified vulnerability, however, exists in the Remote Desktop Protocol (port 3389), which sees much more widespread use on the internet. Organizations will often expose certain internal systems to the internet via RDP to allow remote access, as this is the purpose of RDP. Since a significantly higher number of systems expose RDP to the internet as compared to SMB, this vulnerability poses a significantly higher risk.
While there are no known reports of this vulnerability being exploited in the wild, Microsoft has released a set of patches to address this potential risk. Microsoft has even taken the very rare position of releasing patches for legacy operating systems, such as Windows XP, which demonstrates the level of risk Microsoft has associated with this vulnerability. Between the time Microsoft releases the patch, and the time that organizations take to test and implement the patch, numerous threat actors will be attempting to reverse engineer the patch in order to identify the exact vulnerability. Once the vulnerability is understood, these threat actors will build a weaponized exploit, and use this vulnerability to spread ransomware, cryptocoin miners, or gain a foothold in target organizations.
OCD Tech is anticipating widespread attacks targeting this vulnerability on a global scale, akin to what occurred once the WannaCry virus really hit its stride, within the next several weeks. If attackers choose to leverage the “wormable” aspect of this vulnerability, the scale of the attack could be truly unprecedented.
OCD Tech recommends the following mitigations:
- Ensure that no RDP services are directly exposed to the internet. RDP services which are required remotely should first leverage a VPN connection or other tunnel to protect internal systems from direct remote compromise.
- Enable Network Level Authentication (NLA) via GPO for all RDP services. Systems with NLA enabled are protected against ‘wormable’ RDP malware, as NLA requires authentication before the vulnerability can be triggered. However, even with NLA systems are still vulnerable to Remote Code Execution (RCE) exploitation if the attacker has leaked or stolen credentials.
- Apply the Microsoft provided patches as soon as possible, starting with systems which host critical services or sensitive data.
- If patches cannot be applied in a timely manner, disable RDP services entirely on vulnerable systems until the patch can be applied, especially on critical systems.
