Serious Vulnerability in Microsoft Remote Desktop
On March 13, 2012, Microsoft released AdvisoryÂ 2671387 which stated
that Microsoft has fixed a vulnerability in Microsoft Remote Desktop
Protocol (RDP) that if exploited could grant complete control to an
On a computer running Microsoft Remote Desktop in a default
configuration, an attacker without credentials can send a specially
crafted sequence of data to the computer and gain complete control
of the vulnerable computer.
This affects all supported versions of Microsoft Windows.
By default, RDP uses TCP portÂ 3389. Â This port is open at the
University and is continually scanned by attackers. Â Normally the
attackers are attempting to guess a valid username and password on
the machine. Â ITS Security Operations and Services Office has not
observed a major increase in traffic as ofÂ March 16, 2012.
However, as ofÂ March 16, 2012, a bounty of almost $1500 USD has been offered
for a working exploit. While SOS believes attackers attempt to
develop exploits after every vulnerability announcement, this
vulnerability is of particular concern because a working exploit could turn into
a self spreading worm that infects all unprotected Windows systems
running Remote Desktop.
Microsoft Security Bulletin MS12-020 included a patch that should be
applied as soon as possible. Â Microsoft expects working exploits to
be in use within weeks (if not sooner).
The suggestions below will not fix the underlying vulnerabilty, but
provide defense in depth against possible attacks. Â Detailed
explanations of each workaround can be found in the Microsoft
Disable Remote Desktop
Â Â Â Best practice is to disable unnecessary services on a machine.
If Remote Desktop is not needed, disable it.
Limit Access to TCP PortÂ 3389Â via a Firewall
Â Â Â Only allow connections from trusted IP ranges. Â For example, limit
TCP 3389 to only the University and require users to connect to the
University VPN service before using RDP.
Enable Network Level Authentication on Modern Windows Systems
Â Â Â If you only use Windows Vista, Windows 7, Server 2008, and Server
2008 R2, as RDP clients, you can enable Network Level Authentication
and force a user to authenticate before being allowed to use RDP.
Â Â Â CVE-2012-0002: A closer look at MS12-020\’s critical issue
Â Â Â Strength, flexibility and the March 2012 security bulletins