Mar. 19, 2012
On Tuesday, Microsoft Corp. released a patch for two critical vulnerabilities in the company’s Remote Desktop Protocol (RDP), which is typically used by organizations to remotely access Microsoft® Windows® systems. The first vulnerability could allow an attacker to crash the RDP service and render it unresponsive, possibly causing a denial-of-service condition. The second vulnerability could allow an attacker to gain unauthorized access to a system simply by sending specially crafted traffic to the RDP service. Further explanation of these issues is available in this Microsoft Security Bulletin.
To protect against these vulnerabilities, Microsoft recommends installing the MS12-020 patch as soon as possible. In the meantime, organizations can mitigate their risk by taking the following steps:
- Move your RDP listeners to nonstandard (not 3389) ports according to instructions provided by Microsoft.
- Enable Remote Desktop Network Level Authentication according to instructions provided by Microsoft.
In addition, Crowe suggests, access to RDP (and all other remote access technologies) should not be provided directly from the Internet. Instead, consider requiring that users and administrators connect to a virtual private network and then use remote access tools to connect.
For the second vulnerability, Proof of Concept code is currently available in the public domain. The code will cause a server running RDP to crash and the entire Windows system – not only the RDP service affected by the first vulnerability – to reboot. At publication, there is no known public code that can fully compromise a system. There are reports, however, of a fully functioning Chinese version of the exploit that does have the ability to compromise a remote system.
The website gun.io has established a bounty to go to anyone who creates a stable working exploit as part of Metasploit, an industry standard penetration testing tool. At publication, the bounty’s value was $1,500.
Information from Microsoft about vulnerabilities, mitigations and workarounds, active attacks, security research, tools, and guidance can be found on Microsoft’s Security Research & Defense blog.
For more information, contact Raj Chaudhary at 312.899.7008 or firstname.lastname@example.org.