Windows Remote Desktop Exploit In the Wild

angry tapir writes "Luigi Auriemma, the researcher who discovered a recently patched critical vulnerability in Microsoft's Remote Desktop Protocol (RDP), published a proof-of-concept exploit for it after a separate working exploit, which he said possibly originated from Microsoft, was leaked online on Friday. Identified as CVE-2012-0002 and patched by Microsoft on Tuesday, the critical vulnerability can be exploited remotely to execute arbitrary code on systems that accept RDP connections."

Did anyone think it was secure anyway?

[dbIII]

Doesn't everyone with a clue use it via a VPN anyway?

Re:Did anyone think it was secure anyway?

[Svippy]

How often is it 'people with a clue' that attackers are after?

Re:Did anyone think it was secure anyway?

[ozmanjusri]

Doesn't everyone with a clue use it via a VPN anyway?

Good way to miss the point.

The incident brings into question vulnerability Microsoft's program which is intended to alert security partners before the patches themselves are released. The idea is to give the security vendors time to prioritise and test the fixes, however in this instance, it left their customers vulnerable.

tldr: Microsoft gave hole in Windows to security guys. Security guys gave it to black hats. Customers lost (probably not for the first time...)

Re:Did anyone think it was secure anyway?

[DarkOx]

Climb down off your high horse. RDP for years now has been encrypted and certificate authenticated using TLS. There is no inherent reason when it should not be save to connect to a windows 6.x (Vista / 7 / Server '08) machine over the internet with RDP. You don't always use SSH over VPN do you? Its not as if that has never had a vulnerability.

Re:Did anyone think it was secure anyway?

[cbhacking]

That's just placing trust in the VPN software, rather than the terminal services server. How does that help? You may trust a particular VPN implementation more than you trust any code out of Microsoft, I guess, but RDP is already encrypted and can be configured to use fairly good authentication.

Yes, for a business, it is expected that a VPN would be required (because there are a lot of network resources beyond RDP, and because the internal network is typically behind a proxy), but for a home connection that seems excessive. RDP is disabled by default on home installations, but plenty of people enable it at some point and don't later disable it even though it's a potential attack vector - much like SSH, which people also often use without VPN.

Additionally, there's always the risk of things like a disgruntled employee using this attack from within the corporate network to attack a co-worker (or manager) by changing something on their computer or stealing their credentials, or a corporate spy using it to gain access to data they shouldn't have, or... For remote security vulnerabilities, you need to be a lot more imaginitive in considering threat cases!

Re:Did anyone think it was secure anyway?

[liamoshan]

Doesn't everyone with a clue use it via a VPN anyway?

Most people don't have publicly available RDP open. But there are enough Windows machines out there that even if a small percentage have RDP exposed, and only a small percentage of them aren't patched... there is still a metric shitload of vulnerable hosts.

Dan Kaminsky has done some scanning and extrapolation to estimate that there are about 5 million RDP endpoints exposed

Re:Did anyone think it was secure anyway?

People 'With a clue' would use Windows Remote Desktop Gateway - RDP over SSL - therefore not exposing their RDP servers to the public.

Re:Did anyone think it was secure anyway?

[Kjella]

Businesses yes for the most part, but Windows power users that would like a way to log in remotely - like Linux people ssh with X forwarding - often have RDC enabled and internet exposed. Plus if you can traverse the external firewall some other way, then launch RDC attacks on the computers that's a pretty big loophole too. Or if you're somehow on the inside already, in a big company that external wall is just a tiny bit of your defenses. Overall it's pretty critical.

Re:Did anyone think it was secure anyway?

If you are talking about attackers with a clue (ie, those that you do have to worry about), then probably pretty damn often, I'd say.

Re:Did anyone think it was secure anyway?

If you've got _a_ machine - maybe. If you've got a bunch of machines and several service that need remote access - surely you'll use a tunnel. May be even just SSH tunnel.

Re:Did anyone think it was secure anyway?

[jonwil]

Is remote desktop secured and encrypted by default? If not, why the hell not?

Only an idiot would implement a remote-access protocol like this and NOT use good encryption on it.

Re:Did anyone think it was secure anyway?

[jamesh]

tldr: Microsoft gave hole in Windows to security guys. Security guys gave it to black hats. Customers lost (probably not for the first time...)

As soon as you release a patch fixing a problem you've given the black hats enough to exploit it if it is exploitable. A simple binary diff should be enough to figure out what was changed and then it's all over. Releasing actual exploit code only lowers the barrier to entry but a small amount.

Re:Did anyone think it was secure anyway?

[jamesh]

Doesn't everyone with a clue use it via a VPN anyway?

RDP with NLA gives you just as much protection as a VPN, and one less layer to worry about.

Use a VPN if you need to expose services in addition to RDP or need to support really old RDP clients but otherwise a VPN is just additional complexity.

Re:Did anyone think it was secure anyway?

Doesn't everyone with a clue use it via a VPN anyway?

Nope.

RDP has been encrypted and relatively secure for years now. It's frequently "good enough" encryption on its own. Just as SSH is frequently "good enough" on its own, and run without a a VPN.

I'd suggest that, at this point, running RDP through a VPN doesn't actually get you much more in the way of real security... Although it would allow you to choose specifically who to trust - Cisco, instead of Microsoft, for example.

Re:Did anyone think it was secure anyway?

[omglolbah]

Not many people with a clue would use Windows for anything serious anyway.

Well.....

At -least- 5 different oil rigs in the North Sea run their HMI for operating the process control systems on win2003 server.

I'm not sure how the people who design this would be considered 'clueless' when it comes to design.

The usual MS bashing gets old.. but this -is- slashdot after all :p

Re:Did anyone think it was secure anyway?

Maybe u guys have machines. We do boxes only!

Re:Did anyone think it was secure anyway?

it's "boxen"

My hobby: giving tips to random people on how to be more irritating

Re:Did anyone think it was secure anyway?

It's "boxen".

My hobby: Giving tips to random people on how to be more irritating.

FTFY!

My hobby: Correcting grammatical errors for no good reason.

Re:Did anyone think it was secure anyway?

... or people who didn't know untrusted parties could get on their internal networks.

Isn't that already covered by "people without a clue"?

Re:Did anyone think it was secure anyway?

It's turned off by default, which is probably pretty darn secure. In Vista, 7, and Server 2008, Remote Desktop supports network-level authentication which would require you to log-in to the network before being able to exploit this, which means its effectively been fixed for 6 years. If they manage to authenticate already, then your Linux box with SSH on it isn't any safer than the Remote Desktop machine.

There are three radio buttons in the "Remote Desktop Settings" menu: "Don't allow connections to this computer", "Allow connections from computers running any version of remote desktop (less secure)", and "Allow connections only from computers running Remote Desktop with Network Level Authentication (more secure)". So in order to be vulnerable, you have to click the check-box that says less secure on it.

Re:Did anyone think it was secure anyway?

You are correct, and guess what? The only reason for the move? Lower cost of code production, but for a company that must support many (as in multiple hundred) of those types of "servers" It would be nice to move to a more robust system. Luckily the rigs are not totally dependent on those servers. I have lent out my services to companies that used the Windows Server platform for their drilling or PI platforms and they were owned by worms that used AV software to move across the PCN firewall.

So thank you, and the ITards like you, without you I wouldn't be able to charge as much for my time.

Re:Did anyone think it was secure anyway?

Doesn't everyone with a clue use it via a VPN anyway?

You do realize that some malware can tunnel through VPNs via infected VPN clients? Or get through your mail scanners via a new attachment exploit to land on internal machines?

Firewalls are useful, but they're just becoming speed bumps as time goes on, and relying on them for security and thinking you're safe just because a server isn't directly accessible from the public Internet is becoming foolish.

Re:Did anyone think it was secure anyway?

Yes you should always use ssh over vpn.
SSH has had vulnerabilities too. So have various VPN protocols, the idea here is to make it less likely that an attacker can break both.

Re:Did anyone think it was secure anyway?

[cusco]

Only if it was built by DEC.

Now get off my lawn!

Re:Did anyone think it was secure anyway?

Additional security for that complexity. To put your trust in RDP or SSH without vpn is crazy talk. Security is a process not a thing.

Re:Did anyone think it was secure anyway?

[LordLimecat]

....Or you could use a TS gateway....

Any particular reason why a SSH tunnel is inherently more secure than a TS gateway?

Re:Did anyone think it was secure anyway?

[cusco]

Lower cost of code production

Half-right. The code was written when Server 2003's APIs were the predominant security model on the planet. Unfortunately the new security model in Win7/Svr2008 breaks a lot of that code, sometime in non-obvious ways. An enormous industrial machine code base cannot be ported to the new OSs without major or complete re-writes. A goodly amount of that code is for custom-built systems or machines that are no longer being manufactured but which will continue to function for decades longer, and that code will probably NEVER be ported over.

I contracted at a utility that had a knee-high pile of ancient Compaq 386 laptops in their radio communications shop. When I offered to dispose of them the guys told me they had a half-million dollar radio tower which used configuration software that would **ONLY** run under MS DOS 3 on a 386 CPU. The manufacturer had been gobbled up by some other company and had no intention of re-writing software for a product that they no longer made. They kept that pile for 14 years, until the tower was finally replaced.

So, yeah, there's a shitload of that stuff out there and you're just going to have to keep dealing with DOS, Win9x, NT, Win2K, for the next couple of decades.

Re:Did anyone think it was secure anyway?

[LordLimecat]

Everything I could find indicates that NLA has nothing to do with encryption: It is just to prevent the server from having to do a lot of processing prior to logon (reduce DDOS possibilities) and to allow single-sign-on:
http://en.wikipedia.org/wiki/Network_Level_Authentication

There are separate settings for encryption level, which AFAIK is enabled by default since 6.0.

Re:Did anyone think it was secure anyway?

[LordLimecat]

The point of a good zone-based firewall is that you can specify that VPN traffic has access only to very specific servers on very specific ports.

Re:Did anyone think it was secure anyway?

[hairyfeet]

Well I use Easyconnect to help some of my customers when they some basic stupid problem that doesn't warrant them paying for a service call. Its nice to be able to use Win 7 Easyconnect to have not only control of their desktop but an open 2 way chat session so they can sit there and type "See this thing here? i don't understand that" or "This is the part where I can't get it to print" or whatever. i hope this doesn't affect Easyconnect as that thing is a real blessing to use repair guys, its simple enough even the most average of Joes can be walked through launching it in less than 3 minutes, gives us an easy way to take control of the desktop and actually see what is going on with the unit like we were standing by the customer and lets them chat with us while we work so they can easily point out things they are having trouble with.

My customers love it as i only charge $35 for the average EC session and this lets them get their problems fixed without having to come in or pay for a service call, i love it as its simple and easy and a great little value add on my new builds, its a win/win and i just hope this doesn't fuck that up. The average user simply doesn't have the skills to run something like VNC and trying to walk them through starting a VNC session is a fricking nightmare, whereas EC is "clicky clicky and give me the password" simple.

Re:Did anyone think it was secure anyway?

[GIL_Dude]

Yes, most of us use it with VPN. However consider this:

1) Someone with possibly a bit less skill at finding vulnerabilities takes this code and merges it with a social engineering attack.
2) The social engineering attack promises the user some silly thing (maybe extra smiley faces or dancing cats).
3) The user runs the program inside the corporate firewall.
4) All the company's servers begin blue screening as the user's machine spews these malformed RDP packets.

Honestly, that's not too far fetched and some type of blended exploit like this will probably happen. That's why it is important to patch machines for this and not think that a border firewall is going to protect you for long.

Re:Did anyone think it was secure anyway?

[Pieroxy]

That's just placing trust in the VPN software, rather than the terminal services server. How does that help?

It does help a great deal: Your VPN becomes the key to being on your private network. Then, you only have your VPN to secure, not your multitude of services you want exposed to the outside world.

At home I have three linux machines and one Windows with various services running on each. From the outside, I need several of them: SVN, console, VNC, RDP, file access, etc. I decided to only open ONE sshd to the outside and tunnel every other service I need through this SSH. That way, I just need to maintain my sshd secure for the whole thing to be secure.I don't need to secure RDP, VNC, SVN, etc.

Of course, when facing threats from your own network, it doesn't help.

Re:Did anyone think it was secure anyway?

Oy,

All it takes to exploit this is sending a couple of carefully crafted packets. Does not matter how encrypted it is. If the RDP port is exposed, and the right packets are sent to trigger the exploit. Game Over.

And in this case RDP can be exploited like this. Currently SSH and VPNs are not known to have this weakness.

Re:Did anyone think it was secure anyway?

Have you tried join.me? Not a shill, I use it the same way you use EC & love it.

Re:Did anyone think it was secure anyway?

Yes, it is.

Re:Did anyone think it was secure anyway?

[dbIII]

One is designed with security as a key feature and the other has a pile of features, including maybe enough security to tick off a checklist but not really a major consideration. It's not really MS bashing, it's just pointing out a product intended for use on a nice safe LAN is not going to be as good on an unprotected network as something specificly designed to act as a secure gateway. That's why I trust the software designed for a specific role instead of the one that has it as an afterthought. It would be obvious if the MS bashing and MS fanboy rubbish was not getting people to mindlessly cheer for a team.

Re:Did anyone think it was secure anyway?

[drinkypoo]

Depends on your definition of power user. To me, if you can't figure out the ipsec tools in Windows, you aren't one.

Re:Did anyone think it was secure anyway?

[dbIII]

Except in the case given by the article where the thing can be exploited just by sending packets and the attackers are in before any authentication or encryption happens. With something else as the gateway those RDP packets will never even get to the host unless they have another way in first.
I'm not MS bashing, I'd treat VNC the same way and I'd never ever trust naked X outside of a very trustworthy LAN segment.

Re:Did anyone think it was secure anyway?

[CastrTroy]

I would say that way too many businesses have things set up to be open to the internet at large. Configure your firewalls appropriately. If you need you RDP machine accessible from "the internet" then at least configure your firewalls so that only certain IPs can access that port. If that means providing a static IP to your employees that need to connect, then so be it. Sure it's convenient to be able to connect to your computers from any other internet connected computer in the world, but it is by no means secure.

Re:Did anyone think it was secure anyway?

[thesh0ck]

...and those that are not an error. It is in fact boxes.

Re:Did anyone think it was secure anyway?

[aztracker1]

RDP is an encrypted connection... with similar methods to TLS, SSH, and VPN... unless you're suggesting you should only use HTTPS or SSH when using a VPN connection?

Re:Did anyone think it was secure anyway?

Currently SSH and VPNs are not known to have this weakness.

Look harder.

Re:Did anyone think it was secure anyway?

[aztracker1]

Had a similar situation with a radio station... their music system (only a couple years old at that time) was reliant on a *real* DOS subsystem (win9x was as "new" as it could handle) and needed a 16-bit ISA capable slot... no support... they spent a lot of money for a late (in the market) AMD 5x86 based system capable of running it, with a couple of spares (was in the early Pentium 3 era at a that time). It isn't/wasn't common at *all* ... there's a reason that there are still regular serial ports, and on motherboards today.

Re:Did anyone think it was secure anyway?

[Vrtigo1]

Just think about all those businesses out there that are otherwise smart enough to use VPN, but have servers out in AWS or Rackspace or GoDaddy that don't have an easy way to admin them other than by leaving RDP open. A lot of times those machines are stood up by software guys that don't know enough to be worried about public facing RDP.

Re:Did anyone think it was secure anyway?

[Alomex]

Recently I've seen contracts where the purchaser demands that the code be placed in escrow with a third party. The code is released under a variety of scenarios including lack of upgrades.

Re:Did anyone think it was secure anyway?

That kind of proves the point, don't you think? Isn't undersea petroleum drilling the very definition of cluelessness?

Tesla figured out it was stupid to use up non-renewable resources back in 1915, and he was nuts.

Re:Did anyone think it was secure anyway?

[spire3661]

How do i setup a free VPN using a consumer grade router (WNDR3700) and Windows PCs? Al I do is leave the router remote management port open and then open the RDP hole as needed.

Re:Did anyone think it was secure anyway?

If you read the details on this systems with NLA enabled are not affected.

Re:Did anyone think it was secure anyway?

It's not a grammatical error to start the second clause with a lower-case letter in the case that it's not a quotation or more than one sentence. It's just a matter of style.

Re:Did anyone think it was secure anyway?

[asdf7890]

As RDP used full encryption and secure authentication procedures, it is seen as a safe protocol to leave open without a VPN - it is no less safe than most VPN solutions in that regard (aside from this recent bug, of course, but even VPNs have authentication bugs from time to time).

Just setting up a VPN in order to use RDC through it may make you more vulnerable, not less, unless you review your firewall and routing setups accordingly. If you do not ensure that only RDP traffic is permitted over the VPN then you might be opening up other internal services to what-ever the VPN user might be infected with.

A properly configured VPN with suitable routing/firewall rules will make you more secure, yes. But a badly configured VPN could have exactly the opposite effect, and I'd wager that a lot of machines with RDP available to the 'net at large are hosted servers run by amateur admins who are more likely than you or I to get a VPN setup wrong through naivety so just RDP is the safer default for them.

Re:Did anyone think it was secure anyway?

That kind of post is one way ACs get a bad reputation around here...

All it takes to exploit this is sending a couple of carefully crafted packets. Does not matter how encrypted it is.

No. If NLA with CredSSP is in use then the vulnerability is not exposed. Just read the MS TechNet article. Note that although the TechNet article only describes CredSSP on Windows 6.x kernel operating systems, you can enable CredSSP on WinXP SP3 and install the RDP 7.0 client to achieve safety.

If the RDP port is exposed, and the right packets are sent to trigger the exploit. Game Over.

No. The port must be exposed *and* the RDP service must be enabled, which is not the default configuration. Just read the same link to verify this for yourself.

Currently SSH and VPNs are not known to have this weakness.

VPNs and SSH do have occasional vulnerabilities, and you can find relevant information if you just look for it.

- T

Re:Did anyone think it was secure anyway?

[plover]

I contracted at a utility that had a knee-high pile of ancient Compaq 386 laptops in their radio communications shop. When I offered to dispose of them the guys told me they had a half-million dollar radio tower which used configuration software that would **ONLY** run under MS DOS 3 on a 386 CPU. The manufacturer had been gobbled up by some other company and had no intention of re-writing software for a product that they no longer made. They kept that pile for 14 years, until the tower was finally replaced.

Lemme have a "Yay" for GW-BASIC and TSRs!

<crickets>

OK, then, let me have the system maintenance contractor's paycheck. Yay!

Re:Did anyone think it was secure anyway?

[hairyfeet]

Tried Chrome's screencap and several others and friend don't nothing compare to EC. you see EC will automatically drop their desktop into basic mode to make for a lighter transmission, I'm sure yours don't do that, it requires NO account or software installs, again i seriously doubt the same is true of join me, and finally its so simple that i only have to walk them through it ONCE and after that it is literally "See my name? Click that" and they are done, EC does the rest. I have taken control of a checkout girl's desktop in less than 4 minutes and that poor thing couldn't even find control panel, bless her little clueless heart. With EC its just like a Godsend for repair and tech support as it does ALL the heavy lifting, deals with NAT, no software or accounts to mess with, no complex passwords to remember, just a one time number they read off to me over the phone. that's it, no muss, no fuss, no hassle.

I'll have to see if EC still works when my dad's new laptop comes in, I found him a sweeeet AMD quad for $430 so he can carry his office with him on the truck and give out quotes and bids but you know those things are ALWAYS full of crapware, so i think when he gets it i'll try EC to hook up and clean out the garbage, this will let me see if this latest patch broke anything but God i hope not. hell that was one of my biggest selling points for getting my customers to switch to 7, because with EC I just give them my chat address and they can pop up a "Help Me!" message any time I'm online and have an instant "tech in a box" to help them with their problems. made selling new Win 7 units easy peasy and was a great value add for my business. man that would suck if they broke EC but that would be about the speed of MSFT, break the best thing on the damned OS.

Re:Did anyone think it was secure anyway?

[Culture20]

It does help a great deal: Your VPN becomes the key to being on your private network. Then, you only have your VPN to secure, not your multitude of services you want exposed to the outside world.

That's like having your garage door closed. "As long as my garage door is closed, I don't have to worry about locking the door between the garage and the rest of the house" until someone uses a universal garage remote to mimic your garage door opener's signal.

Re:Did anyone think it was secure anyway?

[EdIII]

....Or you could use a TS gateway....

Any particular reason why a SSH tunnel is inherently more secure than a TS gateway?

...one is part of a Microsoft product?

I hate to say it, but the mods should not be so quick here. Microsoft does have an awful lot of security holes. Most people would be crazy to let anyone connect to any kind of Microsoft based service over an Internet connection. Wrapping those connections up in something else like VPN is really the only way to go.

Linux has it share of vulnerabilities to be sure, but if it is Microsoft it is not an unreasonable position to say it is less secure and to take the appropriate precautions.

I would never trust a TS gateway to remain secure, and certainly not more than SSH tunnels.

Re:Did anyone think it was secure anyway?

[EdIII]

Some of us are worried, but our hands are tied.

I have had a few clients with open RDP, and you can bet I have been up on this with recommending patching to their current IT, and I had no ability to change it. The business owners want access from anywhere on the Internet and don't want the expense and hassle of VPN. In one case it literally comes down to the simplicity of putting in their domain name into an RDP client and anything more complicated is unacceptable.

In those cases I have a letter explaining about the dangers of running it that way, the associated costs of repair, etc.

You can lead a horse to water.....

Re:Did anyone think it was secure anyway?

[dbIII]

OpenVPN or one of the other projects, of which there were about a dozen viable ones in 2000 and most likely a lot more than that now. That's just the free ones. There are also plenty of "cheap" ones.

Re:Did anyone think it was secure anyway?

[dbIII]

unless you review your firewall and routing setups accordingly

Didn't I say "with a clue" above? Is there anyone, anywhere, that has the faintest idea of how to set up a VPN that doesn't know that they should change their other settings after they do it? Your statement is like suggesting that before a diver attempts a triple sommersault and twist they should learn how to swim first.

Re:Did anyone think it was secure anyway?

[jamesh]

Yes I meant protection from the enormous attack surface that an unauthenticated GUI gives you.

Re:Did anyone think it was secure anyway?

[benjymouse]

As soon as you release a patch fixing a problem you've given the black hats enough to exploit it if it is exploitable. A simple binary diff should be enough to figure out what was changed and then it's all over. Releasing actual exploit code only lowers the barrier to entry but a small amount.

The Microsoft security partners may also receive actual proof-of-concept code to make it easier for them to create signatures which will help recognize an attack. By receiving actual PoC code the would-be attackers don't even need to reverse engineer anything.

A number of MAPP partners are chinese companies. Given that this was circulating on chinese sites, the chinese MAPP partners should anticipate an upcoming security audit from MS.

Re:Did anyone think it was secure anyway?

[benjymouse]

Currently SSH and VPNs are not known to have this weakness.

Currently, RDP doesn't have this weakness either. It was patched, remember? And SSH has had serious vulns in the past. Not much difference there.

Re:Did anyone think it was secure anyway?

[Pieroxy]

It does help a great deal: Your VPN becomes the key to being on your private network. Then, you only have your VPN to secure, not your multitude of services you want exposed to the outside world.

That's like having your garage door closed. "As long as my garage door is closed, I don't have to worry about locking the door between the garage and the rest of the house" until someone uses a universal garage remote to mimic your garage door opener's signal.

The only difference is that VPN software or SSH is *designed* to be secure, where your garage door is just supposed to be a convenience to prevent your car from getting too dusty. The proper analogy would be to build a prison wall with one overly secure door around your house, and inside the walls let everything open.

Not entirely true

[Rurik]

It cannot "be exploited remotely to execute arbitrary code". It can only crash the service. There is no RCE developed for this vulnerability, yet. The article itself even says this (even though it's author submitted it here):

"""
Creating a working exploit for the CVE-2012-0002 vulnerability is not trivial, Microsoft security engineers Suha Can and Jonathan Ness said in a blog post on Tuesday. "We would be surprised to see one developed in the next few days. However, we expect to see working exploit code developed within the next 30 days."

The PoC is pretty basic, but an experienced exploit writer can modify it to achieve remote code execution, the researcher said.
"""

Yes, MS12-020 is a big deal. But, not THAT big of a deal, yet. Stop flinging FUD around about things that haven't yet happened.

Re:Not entirely true

[g0tai]

That's almost as bad as '640K will be enough for anyone' ;) ..... Murphy's law will prevail and someone will end up writing something that exploits it in a controlled fashion in the next 20 minutes. Unfortunately with bugs like this, the only safe approach is to take the most pessimistic one, that someone somewhere already has an exploit for it that takes control.

Re:Not entirely true

[rdebath]

Except that quote is assuming that the attacker is starting from either now or last tuesday. The POC executable that was leaked was written back in November so there's nothing to say that someone hasn't been working on it the LAST 30 days.

If that's true expect a worm starting up on Friday evening at the latest.
The threat is real and the lack of a public RCE means little.

Re:Not entirely true

[buchner.johannes]

It cannot "be exploited remotely to execute arbitrary code". It can only crash the service. There is no RCE developed for this vulnerability, yet.

As the CVE says:

The Remote Desktop Protocol (RDP) implementation in [...] does not properly process packets in memory, which allows remote attackers to execute arbitrary code by sending crafted RDP packets triggering access to an object that (1) was not properly initialized or (2) is deleted, aka "Remote Desktop Protocol Vulnerability."

And the MS security bulletin also holds it as Maximum Security Impact: Remote Code Execution.

This is not FUD, even if there is no worm completed yet, it is a clear failure of MS security, and their concept of many lines of defense. Also, they promised to implement their own rehash of W^X, but apparently failed.

Re:Not entirely true

[buglista]

Not defending MS here, but W^X is not a panacea.

Also, VPN is always a good idea for access to administrative services - I don't like any kind of admin login from outside without 2-factor auth being involved.

Re:Not entirely true

That's almost as bad as '640K will be enough for anyone'

You mean it's as bad as a faked quote? Really? On my Al Gore invented Internet?! NO WAY!

(Run! It's Glenn Beck.)

Re:Not entirely true

Don't let the door hit you in the ass on the way out Rurik. Anytime there's the possibility of unauthroized remote access to your system, it's a potential security flaw that needs to be addressed. It's that simple and any company that isn't taking this matter seriously deserves every god damn fine they get hit with for Pii that's compromised.

Although there is no Known Code Executuion Capability YET I personally feel that MS is already full of shit in that regards. Someone has already been using this exploit for some time to compromise a corporate network - we just don't know of it.

When it comes to the companies systems, I'm far beyond paranoid in regards to anything like this and we've already started rolling out this patch. We've also added a new filter for the network logs to look for this compromise being used and thankfully nothing has shown up as yet and we may get lucky enough to complete the patching before anyone begins trying as I fully expect someone to take what's known about this hole and widen the damn thing even further in the near future. The scary thing is, just how many systems out there are configured with outward facing RDP enabled by default on networks with many XP boxes that do not support many of the new security features.

Re:Not entirely true

Not defending MS here, but W^X is not a panacea.

Also, VPN is always a good idea for access to administrative services - I don't like any kind of admin login from outside without 2-factor auth being involved.

2-factor-auth doesn't solve anything in this situation. All this happens before the 'auth'.

People with a clue

As the receptionist told me "RDP? Well at least it does not affect windows."

Give it up

[gazbo]

This is the third story about this vulnerability.

"OMG - some software has a vulnerability!"
"OMG - someone's written a proof of concept attack!"
"OMG - someone else has done the same!"

This is even more ridiculous than stories about Bitcoin or the Raspberry Pi. Well, maybe not Bitcoin; that's just fucking retarded.

using Windows Firewall

Remote Desktop Service is running on my system, but I restrict the users by some source IP addresses enabling Windows Firewall.

Exploit packets would reach the target host.
Is it dangerous in my case?

Re:using Windows Firewall

[cbhacking]

Not from a random machine on the Internet (barring an additional bug in Windows Firewall), no. The firewall filters packets before they reach the server program, so the exploitble software would never be executed.

However, if you trust *any* hosts, then you're also opening yourself to any attacks that those machines are vulnerable to. A bug like this, once weaponized (contrary to the title, I don't know of any remote code execution exploit in the wild for the vulnerability, though you should assume one exists anyhow), makes an ideal propagation vector for a worm. Remember, security is a chain of trust, and only as strong as the weakest link.

Re:using Windows Firewall

No, because if you have been diligently installing your updates like you should, the vulnerability is already patched.
That's right. This is a story about a proof-of-concept exploit, and not the first one, of a vulnerability that is already fixed. Additionally, it's a DoS attack, not a RCE attack, but whatever, the main point is that it's been dealt with already.

Re:using Windows Firewall

Not true. It's an RCE vuln... the implementation shown is just a DoS, but the vuln would exploit properly crafted code, hence MS giving it the classification.

Or quoting from the Microsoft Security Bulletin:

This security update resolves two privately reported vulnerabilities in the Remote Desktop Protocol. The more severe of these vulnerabilities could allow remote code execution if an attacker sends a sequence of specially crafted RDP packets to an affected system. By default, the Remote Desktop Protocol (RDP) is not enabled on any Windows operating system. Systems that do not have RDP enabled are not at risk.

captcha: mistake, for you and anyone else who likes RDP.

Leaving the obvious question: how to turn off RDP?

Turns out I already had it disabled (it's disabled by default?), but here's how to disable it in Windows XP or via group policy. Here's how to do it in Windows 7 (untested).

Re:Leaving the obvious question: how to turn off R

[realityimpaired]

It's disabled by default on all consumer versions of their OS. It's been a while since I've installed 2003 or 2008, so I don't know if it's disabled on those systems.

Which makes me doubly pissed that I'd set up a game download overnight last night (my usage is unmetered overnight) and they decided to force an unneeded patch/reboot on me, which fucked up the download. :/

Re:Leaving the obvious question: how to turn off R

[commlinx]

Which makes me doubly pissed that I'd set up a game download overnight last night (my usage is unmetered overnight) and they decided to force an unneeded patch/reboot on me, which fucked up the download. :/

I concur that default does indeed suck, you can do a registry change to disable it though:

http://support.microsoft.com/kb/555444

And yes I use Linux too and realise such pointless hacks aren't necessary :P

No

The patch was already out before this information was "leaked".

Re:Leaving the obvious question: how to turn off R

[realityimpaired]

Thank you... I'll look into it.

My Windows machine gets turned on once a week, maybe... I use it on my days off to play computer games if the spirit moves me. Today, I think I'd rather go for a bike ride. :)

The point is defence in depth, and ...

[dbIII]

... and not to trust the security of people that can't even keep their stuff running when it's a leap year too much. They've even had stuff that executes arbitrary code inside images - some of their software just trusts the environment too much so that you have to control the environment their software runs in very carefully.

Re:Leaving the obvious question: how to turn off R

[DarkXale]

gpedit can be used to control that setting as well. Might be easier to remember for the purposes of multiple systems.

No need to read the comments here...

This thread is going to be hijacked by paid astroturfing M$ fanbois (yup, it's not incompatible) explaining that SSH had a security hole "recently" and that hence Linux is as insecure as Windows...

What did /. become :(

CONFIRMED: Luigi Auriemma is skynet

[WaffleMonster]

It's amazing one mans hobby in realitive terms makes the entire industry look like a collection of clueless script kittens.

The man is a giant... who must be high on powerup mushrooms by now.

Re:Leaving the obvious question: how to turn off R

I use it on my days off to play computer games if the spirit moves me. Today, I think I'd rather go for a bike ride. :)

...so in that case the bike moves you.

Re:Leaving the obvious question: how to turn off R

[spire3661]

Win 7 Home Premium doesnt have gpedit, just sayin.

Also also

[Sycraft-fu]

VPN often leads to a false sense of security. People see it as a panacea, if you just run VPN everything is good. You can see that on Slashdot with the "How could someone not have it behind VPN?" comments as though VPN is the One True Way(tm) to security and they can't conceive any other way.

So someone sets up a VPN and has a trusted/untrusted idea with the firewall and then doesn't properly mind after the "trusted" area since after all, there's the magic VPN protecting it. An employee then bring in an infected laptop, or VPNs in from an infect computer, punching through all the defenses and it is game over.

They are much less safe than someone who does allow RDP in and thus views all networks, including internal, as untrusted and is up on patching this.

Really VPNs are not a security tool for keeping attacks and so on out. What they are is for logically (virtually) connecting two disparate networks. You have office A and office B and you want them to be one logical network, a VPN will get you that. They are also good for encrypting communications if other security can't be relied upon. For example when I'm in an airport I use VPN since their WiFi is open to the world.

This idea that they are some sort of wonderful network security is rather flawed, they can be just the opposite. If an outside computer, not controlled by you, is allowed to punch through the firewall using VPN and become "trusted" to a degree, they are less secure. Also sometimes they are bad on the user end too as a number of them punch through user protections. Some VPN/software firewall combinations can't successfully identify the VPN as a network adapter and thus it punches right through all client side filtering. Combine that with a public IP on the end of the VPN concentrator and you can take someone who was protected with a NAT and host based firewall and expose them to the world, just by them logging in.

Don't get me wrong, I'm not anti-VPN, but people need to think critically about what they are really good for, how they need to be implemented, and stop with this "Everything should be behind VPN, it makes it more secure!" No, it can make it less secure if you fuck up.

Re:Also also

[EdIII]

I don't particularly disagree with what you are saying, but a VPN does make you more secure to outside threats. If you view security as a state, your state of security is higher with a VPN. That is all you are exposing to the outside. One point of attack.

You can apply what you are saying to NAT on consumer firewalls. Sure, they make you "more" secure simply by requiring translation rules to reach internal machines. That does not mean they are immune to attacks and you can ignore logs, not update firmware, have IDS, etc.

Everything you are saying is more or less correct, I just take issue with you implying that VPN has no intrinsic security benefit. It has a benefit in much the same way that NAT has a benefit. Securing client side assets is often overlooked. It does not help that it makes it difficult when executives want to connect with their own hardware from home, or become uncooperative with security policies on corporate laptops

It's no so much a false sense of security as much as it is an enabler for lazy and unsophisticated admins to have security in depth. Everything should be behind VPN, because it does make it more secure. Either that or SSH/SSL protected access to data and services from the outside. Granted if you fuck up it can be worse, but what was the alternative to VPNs that you were proposing? Better than nothing...

Point taken that it is not an excuse to get lazy about securing the internal networks.

Good news, bad news

[slapout]

For a hacker the good news would be they have control of a Windows machine. The bad news would be...they have control of a Windows machine.