Hello Readers! I have decided to jump on the band wagon and write a quick article that summarises the recent RDP Vulnerability that has been discovered by Microsoft. Some of us will have already seen the recent news of how Microsoft have released an emergency patch for Windows 2003 and Windows XP following the discovery of an RDP exploit that has the same severity as WannaCry and EternalBlue.
This exploit is high severity due to its ability to self-replicate but is also capable of being executed with minimal complexity, making it very easy for attackers to absorb this into their malware toolkit. To put some perspective around the complexity point, Microsoft scored the complexity at 3.9 out of 10.
What does the exploit do?
In order for us to understand what this exploit can be used for, lets see how it work. Its works by sending specific packets of data across the network to a system that has the RDP service enabled and is vulnerable to the exploit. Once these packets are received an attacker can execute arbitrary code on the target machine. This code can be used to install programs (or other malware), change, delete or exfiltrate data and can also be used to create new user accounts with full system rights.
The exploit can work both internally within a LAN, but also across the internet on any exposed RDP ports. This means that this exploit can be used as the initial intrusion point, but also as a lateral movement technique.
RDP is a common protocol used for remoting into resources for both IT Admins and End Users, making this exploit affect many machines. What’s more worrying is the amount of RDP ports that are exposed on the internet.
Who is at risk?
There are two things here in terms of who is at risk, it will be machines that are RDP enabled that are unpatched on older operating systems.
From the above we can see that there are two factors at play that make this vulnerability viable. First one being RDP ports that are internet facing and using the default/known ports of 3389. Attackers can use tools such as Shodan to explore and discover internet facing machines with RDP open and attempt this vulnerability. The second factor that the attacker need is the particular OS version and the fact it has yet to be patched.
Machines with RDP enabled will be vulnerable to this exploit. However, only unpatched machines on: Windows Server 2003, Windows XP, Windows 7, Windows Server 2008 and 2008 R2 will be vulnerable and exploitable.
Thankfully, those who are running Windows 8.1 and Windows 10 are not affected by this exploit. Those who are on the above operating systems with RDP enabled are vulnerable to this exploit.
What can we do?
In terms of Mitigations, rolling out the Microsoft provided patch should be the first step, none of us should be unfamiliar with patch management at this point. It is recommended that even if you are confident that RDP is not enabled on the target system that the patch be rolled out anyway, as this exploit could evolve or become a gateway into other exploitations of Windows. Longer term however, the recommendation would be to move away from these legacy operating systems and onto Windows 10 and Windows Server 2016/2019. Albeit this is a slower/longer process, we have now seen that being on the latest version of Windows mitigates exploits such as this.
If the above patch is not an option, there are a few workarounds that Microsoft have suggested. You can enable NLA (Network Level Authentication) across your environment, which would force authentication when initiating an RDP session. The potential issue with this is, if there is an issue with the Domain Controller, then authenticating to a machine will not be possible (As there will be nowhere to authenticate). Although in the grand scheme of things, this is relatively minor in comparison to leaving RDP fully open on an unpatched, vulnerable system.
Another workaround as you may have guessed is to block ports 3389 at the perimeter/firewall level. Now, blocking this port at the firewall level will help to protect systems that are truly behind that firewall and therefor protect against internet-based threats, however systems that are within the network could still be vulnerable. If you already have 3389 disabled, it may still be worth reviewing the rule set to ensure there are no machines excluded from the rules that could be a risk.
Has this exploit been used?
Currently, there have been no known reports by Microsoft or the NCSC (National Cyber Security Centre) that the exploitation has been used for this vulnerability, however now that a patch has been released and this knowledge is public, it is likely that attackers have already started to incorporate this into there Malware packages. At this point, we need to act quicker than the attackers and ensure our systems are locked down and at the very least can mitigate this risk. Its only a matter of time before another vulnerability is discovered like this and the cycle starts again.
Without sounding like a broken record, this should be another wake up call for businesses that haven’t moved away from there legacy operating systems. Although, being on the latest operating system would mitigate some of the issue, we would still need to understand security within our organisation and understand what services we have enabled and why. Completing those pesky risk assessments can help you understand the services enabled and the potential exposure when a vulnerability like this is discovered. Finally, we should always be able to move agile enough to deploy emergency patches and have confidence that our systems and team can accomplish this. While it is nice that Microsoft have backported a patch for this vulnerability, it will mean very little if we can’t roll this out in a timely manner. Its also worth noting that Microsoft do not have to create patches for non-supported operating systems, its only a matter of time before we are on our own with a decrepit Windows 2003 Server with zero help from Microsoft. Its safe to say that Windows Server 2003 and XP really do belong in a museum. I hope you enjoyed this article, along with many others that are probably circulating around!