Mar 14, 2012 12:04 AM
Volunteer Moderator Leeds, UK
No PM's please
March 13 2012
Microsoft is pushing a fix today for a newly-discovered security flaw which could allow an attacker to connect to any PC running any version of Windows. They rate this as a Level 1 on their Exploitability Index (meaning that attackers will be working on malware to exploit it more or less immediately) and the fix is rated Critical (in other words, do this at once, and do it before any others).
RDP is commonly allowed through firewalls due to its utility. The service runs in kernel-mode as SYSTEM by default on nearly all platforms (except for one exception described below). During our investigation, we determined that this vulnerability is directly exploitable for code execution.
Most non-business users will receive the fix as part of the monthly Microsoft updates released on so-called Patch Tuesday (or, in the UK, Wednesday) but some users who do not have Automatic Updates enabled will be vulnerable to attackers exploiting this security weakness now that details of it have become available. These users can, and should, avail themselves of an alternative fix which Microsoft is making available.
For users and organizations that need time to evaluate the RDP patch before installing it, Microsoft has developed and released a FixIt tool to enable “Network-Level Authentication,” which according to the company is an effective mitigation for this issue.
There is a Microsoft Security Research & Defense blog post here which includes Fix-It solutions for this vulnerability. These do not require a PC to be rebooted after installation, unlike the Patch Tuesday fix.
There is something you can do to substantially reduce the risk on Windows Vista and later systems where RDP is enabled: You can enable Remote Desktop’s Network Level Authentication (NLA) to require authentication before a remote desktop session is established to the remote desktop server .....
Enabling NLA will prevent older clients (including Windows XP and Windows Server 2003) from connecting, by default. NLA will not disrupt remote desktop connections initiated by Windows Vista and later versions of Windows because they support NLA by default.
Microsoft has released an additional Fix-it tool that adds NLA support to Windows XP SP3 desktops and laptops, and this is also to be found in the blog post.
Most domestic users are likely to have Remote Desktop Protocol disabled by default, but this is something which is rarely used and so users are unlikely to know if it is disabled or not. The exception is likely to be any user who has needed to allow a remote user access to his or her machine for fault diagnosis or technical support.
Just to reiterate, remote desktop is not enabled by default and is not commonly enabled on client workstations
( but: )
We urge you to promptly apply this security update. We also encourage you to consider how you might harden your environment against unauthenticated, attacker-initiated RDP connections.
Message was edited by: Hayton on 14/03/12 05:04:05 GMT
Anyone with RDP enabled and open access to their machine via port 3389 had better patch now, or use Microsoft's Fix-It to enable protection. As the McAfee Patch Tuesday briefing for March noted,
This vulnerability has a number of properties that make it very concerning:
- The RDP service, while off by default, is commonly enabled on servers, and occasionally desktops in many environments. The attack surface in many enterprises for this is very high.
- The vulnerability can be exploited over the network, and the protocol is often allowed through firewalls.
- The vulnerability can be exploited without special authentication, in the default configuration.
This is pretty much the perfect storm for a vulnerability. You can expect attackers to be targeting servers in DMZs with RDP enabled, to use as a jump-off point for additional internal attacks. In addition, it could support a self-propagating worm, similar to the likes of Conficker in 2008/2009. On top of this all, the vulnerability is in the Windows kernel itself, making it difficult to mitigate with host-based countermeasures.
And somehow the Microsoft executable code for this vulnerability has leaked, and been used to construct a Proof-of-Concept which is now on a Chinese website.
SophosLabs has seen proof-of-concept code on Chinese websites which tries to exploit the recently announced Microsoft RDP vulnerability, causing computers to crash.
The critical vulnerability exists in Windows, and could be exploited to spread a worm automatically between vulnerable computers.
The advice from Microsoft and Sophos is to patch your copies of Windows as soon as possible, and Microsoft warned earlier this week that it expected malicious hackers to exploit the flaw within 30 days.
Well, that's already happening. The code we've seen - in the form of Python scripts - attempts to exploit the MS12-020 RDP vulnerability and causes Windows computers to blue screen. It wouldn't be a surprise if whoever is writing this code further develop the attacks to produce a fast-spreading internet worm.
Jim Walter (Manager of the McAfee Threat Intelligence Service) is keeping track of developments and updating his blog post about this ("RDP+RCE=Bad News (MS12-020)"), at the moment pretty much on a daily basis. It might be a good idea to keep an eye on his blog to see where this is heading.
Edit(2) - Jim Walters has stopped updating his blog. Last entry was 16 March. I can fill in a few new details - see below.
Edit : I don't know how long this will keep active (I give it 6 months) but there is a new Group specifically dedicated to this RDP vulnerability and its ramifications. You have to join to post, but there's no vetting involved. Just click on the button and you're in the group. Go to
Message was edited by: Hayton - spreading the word about the new MS12-020 Group - on 17/03/12 04:39:55 GMT
Message was edited by: Hayton on 21/03/12 03:18:07 GMT
Message was edited by: Hayton on 21/03/12 06:17:02 GMT
There is a McAfee Threat Advisory document in the Corporate KnowledgeBase HERE, with a link to a PDF file which has information and advice on threat mitigation.
Only a few days after the first proof-of-concept appeared it seems that a working exploit may have been released. McAfee Security Advisory MTIS12-047 states that
Some more recent executable attack tools are detected via GTI as Artemis!2720ADCEEE54.
and VirusTotal have two recent reports (HERE and HERE) which identify a suspect file with that Artemis detection code. The file is called "3389 0day.exe" and so may be connected to the proof-of-concept code that appeared recently on a Chinese website.
Threat details for this vulnerability can be found at http://www.mcafee.com/threat-intelligence/vulnerability/default.aspx?crid=68595. Note that under the 'Additional Resources' tab is a link to http://aluigi.altervista.org/adv/ms12-020_leak.txt, the website of Luigi Auriemma (who discovered this vulnerability in 2011). If you click on the link however you will encounter a SiteAdvisor blocking page stating that the site is High Risk because of several red-rated downloads. As Luigi Auriemma is a malware researcher this is perhaps not too surprising. It is very probably quite safe to continue to the webpage, which is his report containing details about the ms12-020 proof-of-concept leak from Microsoft (see below).
Edit - Roger Grimes at InfoWorld has a practical suggestion which is often overlooked : change the default port settings for remote access (and other services). The article can be found at http://www.infoworld.com/d/security/how-defeat-the-new-rdp-exploit-the-easy-way- 189019
Message was edited by: Hayton on 21/03/12 15:17:00 GMT