Incomplete Patch for Reverse RDP Attacks Leaves Clients Vulnerable
Although Microsoft previously patched a vulnerability related to reverse RDP attacks, researchers discovered that third-party RDP clients are still completely vulnerable.
RDP Vulnerabilities Continue to Be Exploited
Remote Desktop Protocol (RDP) has been used for over a decade to provide Windows client PCs and devices to remotely access and administer remote computers. However, it’s also one of the most notorious services for increased risk.
Over the years, attackers have wreaked havoc across nearly every country by exploiting RDP vulnerabilities and costing organizations (private and public) millions of dollars in recovery. After all this time, it’s no surprise that these remote flaws exist and yet organizations continue to leverage it.
The Danger of Reverse RDP Attacks
In a blog post published Thursday, Check Point explained how a Reverse RDP attack works. In their example, a user attempts to connect to a remote device within the corporate network; however, the device has already been infected by malware. That same malware then allows the remote device that same ability to attack the user’s device. The attack is known as Reverse RDP as the user thinks they’re controlling the remote device but it’s indeed the opposite.
Reverse RDP isn’t brand new. In fact, Check Point highlighted it to the industry at BlackHat 2019 and later in October the same year, Microsoft patched the flaw (CVE-2019-0887).
“We assumed this patch meant the vulnerability was indeed fixed,” Check Point stated regarding their initial findings, “and we even mentioned it in our previous blog post: ‘…the fix matches our initial expectations, our Path Traversal vulnerability is now fixed.”
Check Point then learned that the update itself actually entails its own flaws that allows an attacker a workaround. To mitigate, Microsoft again released an update to alleviate the flaw (CVE-2020-0655).
The Problem with the Patch
Upon further investigation, Check Point most recently discovered that Microsoft’s patch does not address the core vulnerability in an associated API that triggered the problem in the first place (PathCchCanonicalize).
“We fear that just like the Reverse RDP scenario that we just demonstrated the implications of a simple bypass to a core Windows path sanitation function may pose a serious risk to many other software products. We therefore urge all software developers and security researchers to be aware of this vulnerability, and make sure their own software projects are manually patched.”
At this time, Microsoft has yet to offer any explanation as to why it hasn’t resolved the issue, although Check Point stated they’ve notified the vendor.
How to Take Action
“IT staff in large enterprises that use Windows should install Microsoft’s February Patch, CVE 2020-0655, to make sure their RDP client is protected against the attack we’ve presented in BlackHat USA 2019. The second part is addressed to developers worldwide. Microsoft neglected to fix the vulnerability in their official API, and so all programs that were written according to Microsoft’s best practices will still be vulnerable Path-Traversal attack. We want developers to be aware of this threat, so that they could go over their programs and manually apply a patch against it.” – Omri Herscovici, Check Point
How can IT departments accurately check to make sure RDP is checked, as well as other potential security holes? The answer is simple: use a vulnerability scanner.
RDP is just one piece of the puzzle—a popular one, no doubt, but there are other flaws to look out for. Backdoors, crypto mining, peer-to-peer applications, open ports, SNMP, and even the configured Windows policies. All must be checked routinely for potential misconfiguration or susceptibility. Now that employees are working from the couch with a corporate device, or even their own, the need for heightened security has never been greater.
Syxsense Secure offers a thorough definitions library so that devices on or off-premise can be securely checked for any of these popular vulnerabilities. Contrary to most conventional vulnerability scanners that must be stood-up on-premise with new or existing hardware, licensing, and corporate firewall rules.
Additionally, Syxsense Secure includes Syxsense Manage, where patch management comes standard. Conventional tools fall short due to the lack of any remediation capabilities as well as rudimentary patch definitions. Once devices are checked, exportable reports can easily be emailed on set schedules so that newly-discovered vulnerabilities can easily be identified and sent to the proper parties, whether in-house or third-party.
Experience the Power of Syxsense
Syxsense has created innovative and intuitive technology that sees and knows everything. Manage and secure your environment with a simple and powerful solution.