Critical Remote Desktop Flaw Identified in Microsoft Windows Operating Systems

A newly discovered vulnerability in the Microsoft Remote Desktop Protocol has been announced, along with a corresponding patch for Windows XP, 7, 2003, 2008, and 2008 R2. Successful exploitation of this vulnerability is possible via a remote unauthenticated attacker, with no user interaction. This represents the most severe class of vulnerabilities, in that an attacker can execute code (i.e. malware) on a system with elevated privileges, simply by sending crafted RDP packets to a vulnerable system.

The security industry is drawing many corollaries betweenthis newly identified vulnerability, and the MS17-010 (ETERNALBLUE)vulnerability that allowed the global spread of the WannaCry ransomware severalyears ago. Similar to WannaCry, this vulnerability is “wormable”, meaning oncecompromised, the target system can be used to identify additional vulnerablesystems and exploit them automatically. For example, one vulnerable RDP serverexposed directly to the internet can lead to complete compromise of theinternal network. Once the internet-facing system is compromised, it may becomea pivot-point into the internal network, where many RDP services are availablefor exploitation.

In fact, this vulnerability may even be more severe than the MS17-010 vulnerability exploited to spreadWannaCry. MS17-010 relied on a vulnerability in the Server Message Blockprotocol (port 445), which is sometimes, but not often, exposed directly to theinternet. The newly identified vulnerability, however, exists in the RemoteDesktop Protocol (port 3389), which sees much more widespread use on theinternet. Organizations will often expose certain internal systems to theinternet via RDP to allow remote access, as this is the purpose of RDP. Since asignificantly higher number of systems expose RDP to the internet as compared toSMB, this vulnerability poses a significantly higher risk.

While there are no known reports of this vulnerability beingexploited in the wild, Microsoft has released a set of patches to address thispotential risk. Microsoft has even taken the very rare position of releasingpatches for legacy operating systems, such as Windows XP, which demonstratesthe level of risk Microsoft has associated with this vulnerability. Between thetime Microsoft releases the patch, and the time that organizations take to testand implement the patch, numerous threat actors will be attempting to reverseengineer the patch in order to identify the exact vulnerability. Once thevulnerability is understood, these threat actors will build a weaponizedexploit, and use this vulnerability to spread ransomware, cryptocoin miners, orgain a foothold in target organizations.

OCD Tech is anticipating widespread attacks targeting thisvulnerability on a global scale, akin to what occurred once the WannaCry virusreally hit its stride, within the next several weeks. If attackers choose toleverage the “wormable” aspect of this vulnerability, the scale of the attackcould be truly unprecedented.

OCD Tech recommends the following mitigations:

1. Ensure that no RDP services are directly exposed to the internet. RDP services which are required remotely should first leverage a VPN connection or other tunnel to protect internal systems from direct remote compromise.
   
2. Enable Network Level Authentication (NLA) via GPO for all RDP services. Systems with NLA enabled are protected against ‘wormable’ RDP malware, as NLA requires authentication before the vulnerability can be triggered. However, even with NLA systems are still vulnerable to Remote Code Execution (RCE)  exploitation if the attacker has leaked or stolen credentials.
   
3. Apply the Microsoft provided patches as soon as possible, starting with systems which host critical services or sensitive data.
   
4. If patches cannot be applied in a timely manner, disable RDP services entirely on vulnerable systems until the patch can be applied, especially on critical systems.

[wpforms id="10103" title="false" description="false"]