+44 (0)203 88 020 88

Menu

Search

Cyber Security News & Articles

 

Cyber Security
News & Articles

Trusted Cyber Security Experts
25+ Years Industry Experience
Ethical, Professional & Pragmatic

Serious vulnerabilities found in RDP protocol

microsoft vulnerability

The Remote Desktop Protocol (RDP) is a favoured tool for many systems administrators, as it allows a connection to be made to another computer on your network and see the screen and use the mouse and keyboard as if you were physically sat in front of it.  This means that for many, if not most, of the support tasks system administrators and support staff need to carry out, they do not need to visit the computer in person in order to diagnose faults, install software or apply patches and updates.

A Remote Desktop connection requires an RDP client application and a separate RDP server application. The server application (which receives and allows the client connections) could be running on any kind of computer – a desktop in the call centre, a laptop in the CEO’s office or a large database server in your datacentre, or a virtual machine in the cloud. RDP is available for both Windows and Linux systems, with several open source implementations available.

Check Point Research has recently discovered 25 vulnerabilities (with 16 of these being major) in the RDP implementations from Microsoft and the two popular open source versions. All of these vulnerabilities rely on attacking the client connection using a compromised RDP server application.  A real-world example of an attack scenario could consist of a desktop PC in a call centre becoming infected with malware using traditional phishing or social engineering to trick an employee into opening an attachment with a malicious payload.  The malicious payload can be used to install the attacker’s RDP server software onto the target computer.  Later, a systems administrator from the IT team connects to the infected computer using RDP and the RDP connection is used as the attack vector to install malware onto the sys admin’s own PC.

In this particular scenario, the attackers have been able to elevate their position from a relatively low value device in the call centre, onto the computer of a network system administrator. It is quite possible that the administrator may already be logged-in with administrative privileges, which may have access to high value network segments and systems.

The flaws discovered by Check Point include:

  • A Path Traversal vulnerability in the shared clipboard in the Microsoft RDP implementation, which would allow the delivery of an arbitrary file to an arbitrary location on the client device – such as the Windows Start-up folder.
  • Remote Code Execution (RCE) vulnerabilities in the RDesktop and FreeRDP open source applications.

Interestingly, Microsoft have so far acknowledged the Path Traversal vulnerability but declined to take action. Microsoft responded to Check Point Research with the following:

“Thank you for your submission. We determined your finding is valid but does not meet our bar for servicing. For more information, please see the Microsoft Security Servicing Criteria for Windows (https://aka.ms/windowscriteria).”

System Administrators should consider the following steps to mitigate the flaws discovered:

  • Update to the latest version of RDesktop or FreeRDP where the vulnerabilities have been fixed.
  • If you use Microsoft RDP, consider disabling the “Shared Bi-Directional Clipboard” function.
  • Avoid using RDP to connect to (third party) computers outside of your control.

A full list of the flaws and CVEs are listed in the article by Check Point Research here:

https://research.checkpoint.com/reverse-rdp-attack-code-execution-on-rdp-clients/

 

Subscribe to our monthly newsletter today

If you’d like to stay up-to-date with the latest cyber security news and articles from our technical team, you can sign up to our monthly newsletter. 

We hate spam as much as you do, so we promise not to bombard you with emails. We’ll send you a single, curated email each month that contains all of our cyber security news and articles for that month.

Why Choose SecureTeam?

Customer Testimonials

“We were very impressed with the service, I will say, the vulnerability found was one our previous organisation had not picked up, which does make you wonder if anything else was missed.”

Aim Ltd Chief Technology Officer (CTO)

"Within a very tight timescale, SecureTeam managed to deliver a highly professional service efficiently. The team helped the process with regular updates and escalation where necessary. Would highly recommend"

IoT Solutions Group Limited Chief Technology Officer (CTO) & Founder

“First class service as ever. We learn something new each year! Thank you to all your team.”

Royal Haskoning DHV Service Delivery Manager

“We’ve worked with SecureTeam for a few years to conduct our testing. The team make it easy to deal with them; they are attentive and explain detailed reports in a jargon-free way that allows the less technical people to understand. I wouldn’t work with anyone else for our cyber security.”

Capital Asset Management Head of Operations

“SecureTeam provided Derbyshire's Education Data Hub with an approachable and professional service to ensure our schools were able to successfully certify for Cyber Essentials. The team provided a smooth end-to-end service and were always on hand to offer advice when necessary.”

Derbyshire County Council Team Manager Education Data Hub

“A very efficient, professional, and friendly delivery of our testing and the results. You delivered exactly what we asked for in the timeframe we needed it, while maintaining quality and integrity. A great job, done well.”

AMX Solutions IT Project Officer

“We were very pleased with the work and report provided. It was easy to translate the provided details into some actionable tasks on our end so that was great. We always appreciate the ongoing support.”

Innovez Ltd Support Officer

Get in touch today

If you’d like to see how SecureTeam can take your cybersecurity posture to the next level, we’d love to hear from you, learn about your requirements and then send you a free quotation for our services.

Our customers love our fast-turnaround, “no-nonsense” quotations – not to mention that we hate high-pressure sales tactics as much as you do.

We know that every organisation is unique, so our detailed scoping process ensures that we provide you with an accurate quotation for our services, which we trust you’ll find highly competitive.

Get in touch with us today and a member of our team will be in touch to provide you with a quotation. 

0

No products in the basket.

No products in the basket.