Slashdot Mirror
Microsoft: RDP Vulnerability Should Be Patched Immediately
wiredmikey writes "Microsoft is urging organizations to apply the sole critical update in this month's Patch Tuesday release as soon as possible. The critical bulletin – one of six security bulletins issued as part of Tuesday's release – addresses two vulnerabilities in the Remote Desktop Protocol (RDP). Those IT admins who use RDP to manage their machines over the internet, which is essentially the default in cloud-based installations such as Amazon's AWS, need to patch as quickly as possible, said Qualys CTO Wolfgang Kandek. Besides the RDP bugs, this month's Patch Tuesday addressed five other vulnerabilities: two denial-of-service bugs and an escalation of privileges issue in Microsoft Windows; a remote code execution vulnerability in Microsoft Expression Design; and an escalation of privileges issue in Microsoft Visual Studio."
Gee, I manage my cloud over SSH tunnels. Authentication is done with public/private key pairs. No SSH root user login. In the rare cases that I need a GUI, it's VNC over an SSH tunnel.
Any other ports?
It's tunnels. All the way down.
Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
It could happen to Linux as well. But it doesn't.
Linux does have comparable remote-access protocols to RDP, all of which have had plenty of remote exploits in past. For example have a look at CERT advisories on SSH and X11. Don't even get me started on VNC, which is often not updated automatically because it's an installable add-on instead of a system component.
I think all of those have happened in Linux at some stage, with the exception of privilege escalation exploits in an IDE.
It just happens less and the number of exploits is reduced due to rapid updates, on average much better admin and version fragmentation from different distros.
Ok, so there are some weaknesses / bugs and patches to be applied to Linux. There are, there were, and there will be. Always. But are we on the same scale here? We are talking about a remote administration GUI security hole ; that nice graphics and windows based environment that allows almost any brainless geek to damage the system from any angle, visually, like a game.
Slashdot, fix the reply notifications... You won't get away with it...
As if it isn't bad enough that an RDP worm is already spreading due to weak passwords. If users/admins are incompetent enough to use passwords fit for luggage you can only guess how many unprotected Internet facing RDP servers will be ravaged within the next few weeks. Don't get me wrong. I have seen situations that actually call for an Internet facing RDP, such as screaming sales execs behind third party firewalls that block egress GRE, 443, and 22, with the variety of IP addresses causing admins to play wack-a-mole in Webmin to allow individual IPs, but these admins have already patched. If a rogue Fawkes writes a worm for a Massive DDoS or particularly nasty payloads many of us will suffer. An exam should be required to run these services and it should be harder to get than a drivers license. Am I ranting?
I believe the GP was referring to this story.
Write failed: Broken pipe
WOW! Are you detached from reality. Microsoft products are used because of market share and industry momentum. Bitch all you want about design and implementation, but the world isn't going to stop and replace everything with Linux/Unix as though it was some grand Moon Shot program. It will not happen. Get over it.
Life is not for the lazy.
And having a vulnerability in a GUI (RDP) protocol is somehow worse than having vulnerabilities in SSH how exactly?
Nothing stops you from using Windows Remote Management to do exactly the same thing with Windows.
So you are trying to tell me a system where many admins cannot write firewall rules and file ACLs is better then a system with a GUI for the same?
Windows has all the same security functions linux does and then some and can be made to be highly secure. It also has a command line that is more useful then the majority of inexperienced know. Admins who don't know how to/or care to maintain some of their systems exist on both camps. It is not the tool.
What you are saying is the same as saying impact wrenches are bad tools for mechanics because they are easy to use and strip bolts and all mechanics should all use torque wrenches instead.
120 characters ought to be enough for anyone
And having a vulnerability in a GUI (RDP) protocol is somehow worse than having vulnerabilities in SSH how exactly?
Any fool can use the GUI, but with SSH at least you can be sure that you are being hacked and exploited by a fellow geek.
If my comment didn't sound as good in your head as it did in mine, then I guess we all know who's to blame
Gee, I manage my cloud over SSH tunnels. Authentication is done with public/private key pairs. No SSH root user login. In the rare cases that I need a GUI, it's VNC over an SSH tunnel.
Any other ports?
It's tunnels. All the way down.
Yeah, it sure is unfortunate that you can't do exactly the same thing with RDP. And MS should definitely think of adding IPSEC support one of these days (yes, I know). Of course people are probably less likely to bother, since unless you're French, RDP is fully encrypted (standard VNC only encrypts the password) and talking of passwords it allows them to be more than 8 characters long. You can even have a username too, if you use the right version and configure PAM (joke - there is no right version for that because it's a terrible idea security wise). It has also never had a bug where the client could tell the server it didn't support any of its authentication schemes and so the server simply let it connect without authentication.
In fact this is the first time I've heard of a potential serious vulnerability in Remote Desktop, so frankly this is not the area to be smug about.
Anyway this is a bit too MS positive for my liking, so I'll just add that TurboVNC + VirtualGL + VirtualBox = one fucking awesome free VDI implementation. Add SSH, OpenVPN or IPSEC to taste if you want (although VirtualGL handles SSH itself transparently if you want). Actually for remote admin purposes you only need the 1st part (unless it's a bunch of 3D workstations you're supporting). And possibly a new hobby to use to soak up all the time you used to waste waiting for the screen to refresh. I would also mention FreeNX, but a) I think it gets outperformed by the above and b) I am fucked if I'm setting that damned thing up again just to verify.
Oh yeah, one more neat trick - Virtualbox can run in headless mode on a box with no GUI (or with one, doesn't matter). In this mode it serves up the VM display using an extended version of RDP. The great thing is this doesn't just apply to Windows VMs - it can serve any OS it can run over RDP. Watch the look on your colleague's faces as you get them to fire up MSTSC and connect straight into Ubuntu. Or OS2, OSX, Win 3.1 etc.. etc.. You can even dump them into an EFI shell or the virtual BIOS. Literally minutes of laughs to be had. Oh yeah, you may need the non-open source extension pack for that. Also they're adding VNC in the next release. I have no fucking idea why.
And no, I have no idea why you're not allowed to use RDP encryption in France. I have no idea why they're not allowed to use deoderant either, come to think of it.
RDP is a GUI, SSH (for instance) is not. From wiki:
Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft, which provides a user with a graphical interface to another computer
Don't you think it is easier to hack a computer from a windowed based tool where you see the menus and all, than from an austere text based prompt?
I would suspect that someone who has the skill set required to "hack a computer" would not be slowed down much in his mischievous activity by an austere text based prompt..
lucm, indeed.
Who are all these admins doing stuff over RDP and why are they still employed? I've seen these installations myself but I simply cannot believe it. It's so dumb that it boggles the mind. Why would I need to login to a full display server to remotely administrate... anything? Oh, unless I'm on Windows where some applications cannot be used without the GUI. Lol. This is so pathetic. If you simply must use a GUI, just tunnel an X client over SSH and never worry about applying patches again- oh but wait, I forgot again that we're on Windows so you can't do that. Why anyone would rely on this backwards, insecure, cumbersome, and ultimately counter-productive bullshit is completely beyond me.
The dangerous people are not the admins that are using RDP. The dangerous people are the idiots that think that because they use an X client over SSH they don't have to worry about applying patches again.
So it does not surprise me that the fact that people rely on technologies that you don't understand is completely beyond you. Once you get real work experience, other than maintaining that FTP server for a non-profit or that Drupal server for Uncle Bob's tackle and bait shop, we can have this discussion again.
lucm, indeed.
No, I don't think it is easier. Why do you think windows and menus make things any more hackable?
I know: someone using WinRunner or AutoHotKey could do brute-force hacking on a GUI!
This is brilliant, I must immediately check IRC (or Experts-Exchange) to see if there are scripts available to do that.
lucm, indeed.
The vulnerability is in the protocol, not that it is a remote GUI protocol. The fact it is a gui protocol is moot in this case - the attack allows someone (using a terminal, a gui, whatever) to send crafted packets to the RDP service (note, service) on a Windows machine that may allow them to run arbitrary code remotely, in just the same way that someone (using a terminal, a gui, whatever - see the consistency here?) to send crafted packets to XYZ service (note service) on a Linux/BSD/whatever machine that may allow them to run arbitrary code remotely.
The nice thing with this attack failed attempts supposedly result in a BSOD too :-)
Actually you are wrong. I am from Citrix so I know, RDP is developed by Microsoft, Citrix has its own proprietary protocol called ICA(Independant Computing Architecture) which is just a wrapper around RDP. Its true that RDP came from WinFrame which was a Citrix product but you are wrong in saying that Microsoft bought RDP from Citrix.
Don't you think it is easier to hack a computer from a windowed based tool where you see the menus and all, than from an austere text based prompt?
Only to the extent that GUIs are easier to use in general. They are not inherently more hackable than text prompts: text may give you a little extra obscurity, but that's not something that should be relied on in a security context.
Microsoft developed the original RDP technologies (before someone jumps in, not *all* RDP tech, just the ones involved in this timeline), and sold it off to Citrix, who dramatically improved it. MS then licensed it back from Citrix as an independent product and included it into Windows.
Windows: So awkward to use, even the hackers will get mired in in the GUI.
Linux does have comparable remote-access protocols to RDP, all of which have had plenty of remote exploits in past. For example have a look at CERT advisories on SSH and X11. Don't even get me started on VNC, which is often not updated automatically because it's an installable add-on instead of a system component.
You didn't get a chance to look at years on those advisories, eh?
In year 2002 everything was vulnerable. Literally.
In year 2012, one would expect that such critical component like RDP would be audited 100 times by Microsoft. Seemingly not.
First, I've never once seen a best practices document that says "put RDP on the Internet." Maybe one exists, or maybe there are special cases somewhere that allow for it, but to me it just seems stupid to connect a Windows machine directly to the Internet, or port-forward directly to one from the edge device.
Second, has anyone heard of an exploit for this that involves a prior uncovered exploit - basically you get some malware that "phones home" to an SSH server and opens a reverse tunnel back to the local RDP server? It seems to me that this would be one way they would do it.
Is this sarcastic or is this somehow really supposed to be reassuring?
I was aiming for +5, Funny - with a faint smell of insight-fulness while masquerading as informative
I think, I did rather well?
If my comment didn't sound as good in your head as it did in mine, then I guess we all know who's to blame