Remote Desktop Protocol vulnerabilities exploitation

  • Monday, Nov 7, 2022
Singel-post cover image

Introduction

One of the most popular communication protocols for remotely controlling systems is the Remote Desktop Protocol (RDP). Advantage of graphical user interface is undeniable, which makes the tool easy to use. It is important to outline, that RDP is two-way communication protocol. That means, that it can transfer client’s input from mouse and keyboard to the server. Second option is to transfer server’s screen output to the client. The whole RDP concept of communication is based on data streams or channels, which have their own ID and type of security, which is supported in two different modes:

  • Standard, based on RC4
  • Enhanced, using other protocols, such as TLS

Even though, remote access through this protocol is highly used in Windows operating systems, there are a lot of vulnerabilities, which does make attraction to the attackers.

Identified Vulnerabilities

BlueKeep

This vulnerability forced Microsoft to make some new patches, within older operating systems. The CVE-2019-0708, refers to Remote Desktop Services Remote Code Execution Vulnerability. The attacker is able to execute random code through remote access to the system via RDP, without any required valid credentials. Few months later, several related BlueKeep vulnerabilities were collectively named DejaBlue in August 2019. This affected newer Windows versions, namely Windows 7 and all versions up to Windows 10.

There are 32 static virtual channels. Dynamic channels are located in one of these static channels in RDP 5.1. The RDP configure virtual channels before authentication, which opens a door to the attacker. If the server binds a virtual channel MS_T120 with a static channel other than 31, the system allows arbitrary code executions because of heap corruption. MS_T120 refers to channel, for which there is no legitimate reason for a client to connect.

DoS attack - RD Gateway

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack, because of insufficient validation of user-supplied input in Windows Remote Desktop Gateway (RD Gateway). A remote attacker can send specially crafted request to the affected RDP server and perform a denial of service attack. This vulnerability was released in 14.1.2020 and was identified as CVE-2020-0612. Windows Server 2016 -2019 are vulnerable.

Heap buffer overflow

Very similar vulnerability as the BlueKeep mentioned before. The CVE-2021-34535 also refers to Remote Desktop Services Remote Code Execution Vulnerability. The vulnerability is an integer overflow due to an attacker-controllable payload size field, which ultimately leads to a heap buffer overflow during memory allocation. The vulnerability can be triggered via the RDP Video Redirection Virtual Channel Extension feature [MS-RDPEV], which is typically deployed on port 3389, and is contained inside of compressed UDP payload and encrypted RDP using TLS.

Information Disclosure

The CVE-2022-22015 vulnerability allows a remote attacker to gain access to potentially sensitive information, that means that it affects confidentiality of data. It was released in 10.5.2022 and it exists due to excessive data output by the application in Windows Remote Desktop Protocol. A remote user can gain unauthorized access to sensitive information on the system.

Pipe attack

This security vulnerability was identified as CVE-2022-21893 and it enables unprivileged users connected remotely to system, gain file system access to the computer of other connected users or read and modify their clipboard data.

Every pipe created, has a name. This vulnerability relies on fact, that the pipe with TSVCPIPE name, has a security descriptor, that allows any user, to create pipe instance of the same name. So, the attacker creates a pipe connection with the TSVCPIPE name and waits for the original user to create this same pipe. Because of FIFO stack, the attacker pipe will be used, and all the data transmitted through this pipe will be leaked. Moreover, data which is transmitted through pipes, is in clear text.

Table of all CVE records of RDP vulnerabilities after BLUEKEEP (cve.mitre.org)

CVE - NAME CVSS 3.0 Base Score Source Published Date
CVE-2019-1108
6.5 MEDIUM
Microsoft Corporation 07/09/2019
CVE-2019-1181
9.8 CRITICAL
Microsoft Corporation 08/13/2019
CVE-2019-1182
9.8 CRITICAL
Microsoft Corporation 08/13/2019
CVE-2019-1222
9.8 CRITICAL
Microsoft Corporation 08/13/2019
CVE-2019-1223
7.5 HIGH
Microsoft Corporation 08/13/2019
CVE-2019-1224
7.5 HIGH
Microsoft Corporation 08/13/2019
CVE-2019-1225
7.5 HIGH
Microsoft Corporation 08/13/2019
CVE-2019-1226
9.8 CRITICAL
Microsoft Corporation 08/13/2019
CVE-2019-1326
7.5 HIGH
Microsoft Corporation 10/08/2019
CVE-2019-1453
7.5 HIGH
Microsoft Corporation 12/10/2019
CVE-2019-1489
7.5 HIGH
Microsoft Corporation 12/10/2019
CVE-2019-9510
5.3 MEDIUM
CERT/CC 01/15/2020
CVE-2020-0609
9.8 CRITICAL
Microsoft Corporation 01/14/2020
CVE-2020-0610
9.8 CRITICAL
Microsoft Corporation 01/14/2020
CVE-2020-0612
7.5 HIGH
Microsoft Corporation 01/14/2020
CVE-2020-0660
7.5 HIGH
Microsoft Corporation 02/11/2020
CVE-2020-11058
2.2 LOW
GitHub, Inc. 05/12/2020
CVE-2020-1466
7.5 HIGH
Microsoft Corporation 08/11/2020
CVE-2020-16863
7.5 HIGH
Microsoft Corporation 10/13/2020
CVE-2020-16896
7.5 HIGH
Microsoft Corporation 10/13/2020
CVE-2020-16927
7.5 HIGH
Microsoft Corporation 10/13/2020
CVE-2020-27208
6.8 MEDIUM
MITRE 05/21/2021
CVE-2020-27212
7.0 HIGH
MITRE 05/21/2021
CVE-2020-3427
6.6 MEDIUM
Cisco Systems, Inc. 10/14/2020
CVE-2020-9497
6.5 MEDIUM
Apache Software Foundation 07/02/2020
CVE-2020-9498
6.7 MEDIUM
Apache Software Foundation 07/02/2020
CVE-2021-2279
8.1 HIGH
Oracle 04/22/2021
CVE-2021-31186
7.4 HIGH
Microsoft Corporation 05/11/2021
CVE-2021-36158
5.9 MEDIUM
MITRE 07/05/2021
CVE-2021-38631
4.4 MEDIUM
Microsoft Corporation 09/11/2021
CVE-2021-41159
5.8 MEDIUM
GitHub, Inc. 10/21/2021
CVE-2021-41160
5.3 MEDIUM
GitHub, Inc. 10/21/2021
CVE-2021-41371
4.4 MEDIUM
Microsoft Corporation 09/11/2021
CVE-2022-22015
6.5 MEDIUM
Microsoft Corporation 05/10/2022
CVE-2022-22166
6.5 MEDIUM
Juniper Networks, Inc. 01/18/2022
CVE-2022-22208
5.9 MEDIUM
Juniper Networks, Inc. 10/17/2022
CVE-2022-23613
7.8 HIGH
GitHub, Inc. 02/07/2022
CVE-2022-24882
9.1 CRITICAL
GitHub, Inc. 04/26/2022
CVE-2022-24883
7.4 HIGH
GitHub, Inc. 04/26/2022

Secure RDP configuration

There were several other RDP vulnerabilities through the years, and it is the matter of time, when would be another vulnerability discovered. Therefore, this section will describe few mitigations for securing RDP.

VPN

With RDP enabled, all computers connected to an organization’s network are exposed directly to the internet. Virtual Private Network (VPN) will hide systems from identifying, which systems on the organization’s network are accessible via RDP. Another security layer will be added with VPN authentication before clients would be able to log into the internal systems via RDP.

Port 3389

By default, port 3389 is used for RDP, but before implementing any rules, it is recommended to check, if it was not changed through the years of company existence. Securing port used for RDP, helps to control traffic flow through company’s network. By implementing network-based and host-based firewall rules, the organization can block unwanted traffic and connections. It is recommended to block any inbound RDP connection from external systems. Systems, that the organization need to access via RDP, are manually allowed by IP address. This will ensure only authorized users can log into a system.

Password policy

An important step in the password policy is to determine or show users how passwords should look like. In companies, it is common that the password should contain uppercase and lowercase characters, numbers and special characters. To ensure complexity, it is also good to have at least 14-character passwords. When it comes to authentication, Microsoft and NIST provide guidance for best practices for password policy published by CIS.

Updates

An unpatched system is more vulnerable, and the attacker knows it. Patches and updates are not made just for better frontend and functionality, but also for security. Out-of-date system could be updated manually, or automatically by tools, which are able to ensure, that an organization has the latest security updates that are provided by the software vendor. In critical system, administrator should test the environment after patching, to ensure, that updates did not affect systems negatively.

Session Lockout

Brute-force attacks are the most common attack techniques. RDP systems are also targeted in an attempt to compromise the network. The question is, how to reduce the probability of the successful brute-force attack. The best practice is implementation of account lockout. After 5 consecutive failed login attempts, lockout given account for 15 minutes, and after 12 failed retries, there should be a temporary lockout and only administrator could reset the account.

Backup

In that case, the attacks are successful, and data are compromised, there should be a way, to secure the exact copy of uncompromised data, also because of the fact, that deployment of ransomware rapidly increased over the past few years. Here are some best practices recommended:

  • Full backups through imagining, which will allow for quick recovery after an incident.
  • Testing backups if everything is working properly
  • Protect backups through physical security and encryption. (Cloud services also)
  • At least one offline backup, that is not accessible through a network connection.

Conclusion

Mitigations mentioned above, could be implemented at low or no cost, and therefore every organization should consider their implementation. It is clear, that there would be another vulnerability endangered by RDP based attacks and that is the reason, why every company should consider effective implementation of these mitigations, which should strengthen their cybersecurity protection.

Sources