Forgot your password?
typodupeerror
Cloud Microsoft Network Security Windows IT

Microsoft: RDP Vulnerability Should Be Patched Immediately 126

Posted by Soulskill
from the barn-doors-and-horses dept.
wiredmikey writes "Microsoft is urging organizations to apply the sole critical update in this month's Patch Tuesday release as soon as possible. The critical bulletin – one of six security bulletins issued as part of Tuesday's release – addresses two vulnerabilities in the Remote Desktop Protocol (RDP). Those IT admins who use RDP to manage their machines over the internet, which is essentially the default in cloud-based installations such as Amazon's AWS, need to patch as quickly as possible, said Qualys CTO Wolfgang Kandek. Besides the RDP bugs, this month's Patch Tuesday addressed five other vulnerabilities: two denial-of-service bugs and an escalation of privileges issue in Microsoft Windows; a remote code execution vulnerability in Microsoft Expression Design; and an escalation of privileges issue in Microsoft Visual Studio."
This discussion has been archived. No new comments can be posted.

Microsoft: RDP Vulnerability Should Be Patched Immediately

Comments Filter:
  • by PolygamousRanchKid (1290638) on Wednesday March 14, 2012 @02:38AM (#39349463)

    Gee, I manage my cloud over SSH tunnels. Authentication is done with public/private key pairs. No SSH root user login. In the rare cases that I need a GUI, it's VNC over an SSH tunnel.

    Any other ports?

    It's tunnels. All the way down.

    • by Slashcrap (869349) on Wednesday March 14, 2012 @03:27AM (#39349679)

      Gee, I manage my cloud over SSH tunnels. Authentication is done with public/private key pairs. No SSH root user login. In the rare cases that I need a GUI, it's VNC over an SSH tunnel.

      Any other ports?

      It's tunnels. All the way down.

      Yeah, it sure is unfortunate that you can't do exactly the same thing with RDP. And MS should definitely think of adding IPSEC support one of these days (yes, I know). Of course people are probably less likely to bother, since unless you're French, RDP is fully encrypted (standard VNC only encrypts the password) and talking of passwords it allows them to be more than 8 characters long. You can even have a username too, if you use the right version and configure PAM (joke - there is no right version for that because it's a terrible idea security wise). It has also never had a bug where the client could tell the server it didn't support any of its authentication schemes and so the server simply let it connect without authentication.

      In fact this is the first time I've heard of a potential serious vulnerability in Remote Desktop, so frankly this is not the area to be smug about.

      Anyway this is a bit too MS positive for my liking, so I'll just add that TurboVNC + VirtualGL + VirtualBox = one fucking awesome free VDI implementation. Add SSH, OpenVPN or IPSEC to taste if you want (although VirtualGL handles SSH itself transparently if you want). Actually for remote admin purposes you only need the 1st part (unless it's a bunch of 3D workstations you're supporting). And possibly a new hobby to use to soak up all the time you used to waste waiting for the screen to refresh. I would also mention FreeNX, but a) I think it gets outperformed by the above and b) I am fucked if I'm setting that damned thing up again just to verify.

      Oh yeah, one more neat trick - Virtualbox can run in headless mode on a box with no GUI (or with one, doesn't matter). In this mode it serves up the VM display using an extended version of RDP. The great thing is this doesn't just apply to Windows VMs - it can serve any OS it can run over RDP. Watch the look on your colleague's faces as you get them to fire up MSTSC and connect straight into Ubuntu. Or OS2, OSX, Win 3.1 etc.. etc.. You can even dump them into an EFI shell or the virtual BIOS. Literally minutes of laughs to be had. Oh yeah, you may need the non-open source extension pack for that. Also they're adding VNC in the next release. I have no fucking idea why.

      And no, I have no idea why you're not allowed to use RDP encryption in France. I have no idea why they're not allowed to use deoderant either, come to think of it.

      • by Anonymous Coward

        Yeah, it sure is unfortunate that you can't do exactly the same thing with RDP. ....

        Actually you can:
        - cygwin on the Windows box
        - sshd service under cygwin
        - connect via ssh into your windows box
        - tunnel through the ssh into port 3389 on the same box
        - open Terminal Services client, connect to localhost:XXXX
        Works like a charm for me.

    • You can definitely tunnel RDP, its built right into Windows and called Terminal Server Gateway. With that you can use client cert validation and tunnel in over SSL. Add some nice middleware and it will even allow you to use hardware password tokens (if you can afford them).
      What people seem to be forgetting is that RDP alone is not really a "secure" communications channel for public networks. If you need high security, users should be VPNing into your LAN and then RDPing over that tunnel.
  • As if it isn't bad enough that an RDP worm is already spreading due to weak passwords. If users/admins are incompetent enough to use passwords fit for luggage you can only guess how many unprotected Internet facing RDP servers will be ravaged within the next few weeks. Don't get me wrong. I have seen situations that actually call for an Internet facing RDP, such as screaming sales execs behind third party firewalls that block egress GRE, 443, and 22, with the variety of IP addresses causing admins to pla
    • by lucm (889690)

      If users/admins are incompetent enough to use passwords fit for luggage you can only guess how many unprotected Internet facing RDP servers will be ravaged within the next few weeks.

      This is not a problem unique to Windows. At least once or twice a year I stumble upon machines where I can use SCOTT TIGER, toor or "secret" credentials.

  • Since when Microsoft started counting those as bugs? Their usual policy is only to count remote exploits as "real" bugs worth being announced.

    • by dkf (304284)

      Since when Microsoft started counting those as bugs? Their usual policy is only to count remote exploits as "real" bugs worth being announced.

      Why complain? It's exactly the right thing for Microsoft to be doing.

      Their big problem is the massive overhang of software that's not been properly designed for security (e.g., too much is still default-allow) and which people continue to want to use. The various Unix-based OSes have an advantage here, even if it is one of happenstance: Unix apps have been designed for use in privilege-separated environments, and have been for many decades. Microsoft got with the program later, and that's always much harder

      • by Alex Belits (437) *

        Oh, I am not complaining. I am just surprised after years of Microsoft shills screaming "Linux has a security bug in libpng but Windows does not!" and similar nonsense.

    • by msobkow (48369)

      So it took them a few decades to learn that a privilege escalation is only one step removed from a full intrusion. At least they did eventually learn.

    • by Anonymous Coward

      Since when Microsoft started counting those as bugs? Their usual policy is only to count remote exploits as "real" bugs worth being announced

      No ! Don't let facts stop you from MS bashing ! What kind of a anti-ms troll are you? You need to undergo training buddy..

      Step 1: Ignore all the thousands of security bugs that Linux developers introduce into codebase every year.
      Step 2: Read more slashdot.

  • Microsoft has been counting IE security holes as Remote Execution a long time, which actually requires user intervention at the client-side.

    I'm rather surprised that it took this long before somebody found a possible breach in the RDP implementation.

  • I would think that most people who absolutely needed to remote into their machines over the Internet would use some kind of tunnelling to a jumpbox or remote access appliance to RDP to an internal server...
  • First, I've never once seen a best practices document that says "put RDP on the Internet." Maybe one exists, or maybe there are special cases somewhere that allow for it, but to me it just seems stupid to connect a Windows machine directly to the Internet, or port-forward directly to one from the edge device.

    Second, has anyone heard of an exploit for this that involves a prior uncovered exploit - basically you get some malware that "phones home" to an SSH server and opens a reverse tunnel back to the local

    • by drinkypoo (153816)

      The really sad thing is that there's ipsec in Windows and it's a trivial matter to create a policy that requires all connections to a particular service to be encrypted.

    • your the first to hit it on the head! Why would anyone put a window box any where close to the internet. Where is the vpn! No vpn no connection. VPN then RDP problem solved.
      • Well, with the low number of RDP holes over the years, statistically speaking, it's just as likely your VPN will have an exploit and get hacked.

        Remember, it's turtles all the way down. All a hacker needs to find is the weakest link in the chain.

    • I've never seen an official best practice document that says not to make RDP open over a public IP. Where did this myth and misconception that RDP is inherently more insecure than any other protocol out there? Is it because now that you can visually see the Windows sign on screen via GUI that it's too close for comfort? In other words, is it just psychological? The way understand RDP, is that it's just another service that streams data back and forth between the server an client.

      Just how did this FUD get st

"The Street finds its own uses for technology." -- William Gibson

Working...