Patch Tuesday March 2012 – Remote Desktop Pre-Auth Ring0 Use-After-Free RCE!
Patch Tuesday March 2012 fixes a set of vulnerabilities in Microsoft technologies. Interesting fixes rolled out will patch a particularly problematic pre-authentication ring0 use-after-free in Remote Desktop and a DoS flaw, a DoS flaw in Microsoft DNS Server, and several less critical local EoP vulnerabilities.
It seems to me that every time a small and medium sized organization runs a network, the employees or members expect remote access. In turn, this Remote Desktop service is frequently exposed to public networks with lazy, no-VPN or restricted communications at these sized organizations. RDP best practices should be followed requiring strong authentication credentials and compartmentalized, restricted network access.
Some enterprises and other large organizations continue to maintain a “walled castle” and leave RDP accessible for support. The problem is that RDP-enabled mobile laptops and devices will make their way to coffee shops or other public wifi networks, where a user may configure a weak connection policy, exposing the laptop to attack risk. Once infected, they bring back the laptop within the walled castle and infect large volumes of other connected systems from within. To help enterprises that may have patch rollout delays, Microsoft is providing a fix-it that adds network layer authentication to the connection, protecting against exploit of the vulnerability.
This past fall, we observed the RDP worm Morto attacking publicly exposed Remote Desktop services across businesses of all sizes with brute force password guessing. It was spreading mainly because of extremely weak and poor password selection for administrative accounts! The Morto worm incident brought attention to poorly secured RDP services. Accordingly, this Remote Desktop vulnerability must be patched immediately. The fact that it’s a ring0 use-after-free may complicate the matter, but Microsoft’s team is rating its severity a “1” – most likely these characteristics will not delay the development of malicious code for this one. Do not delay patch rollout for CVE-2012-0002.
Finally, for less technical readers, allow me to explain a little about what a “Remote Desktop pre-auth ring0 use-after-free RCE” really is. Remote Desktop is a remotely accessible service that enables folks to connect remotely to a Windows system and open a window to the desktop in an application as though you were sitting in front of the computer. Usually, you need to log in to the system to do that, so the system is fairly protected. Unfortunately, this bug is such that a remote attacker that can connect to the system’s Remote Desktop service over the network can successfully attack the system without logging in. The “ring0” piece simply means that the vulnerable code exists deeply in the Windows system internals, or the kernel, of the operating system (most applications running on a system run in “ring3”, or “user-mode”). “Use-after-free” is the type of vulnerability enabling the exploit, and this type of flaw is something that continues to be extremely difficult to weed out as predicted years ago, even as many of the more traditional low hanging stack and heap overflows have been stomped out by automated code reviews and better coding practices. And finally, RCE applies to the type of exploit enabled by the vulnerability, or “remote code execution”, meaning an attacker can deliver malicious code of their choosing to the system and steal everything. There you go, “pre-auth ring0 use-after-free RCE”.