Microsoft’s Security Bulletin MS12-020 published on March 13, 2012 fixes a critical vulnerability (CVE-2012-0002) in Microsoft's implementation of RDP.
Remote Desktop Protocol (RDP) is a convenient solution for accessing and managing remotely systems.
Proof of Concept Code (PoC) is publicly available for MS12-020; the PoC results in a Denial of Service (DoS). The proof-of-concept code appears to match the vulnerability information shared with Microsoft Active Protections Program (MAPP) partners, so the PoC was likely leaked by the MAPP.
SonicWALL released two IPS signatures that cover MS12-20 (remember that a best practice is to activate and enable the IPS service on your SonicWALL NGFW):
IPS: 7528 - Suspicious RDP Traffic 3
IPS: 7539 - Suspicious RDP Traffic 4
What are the risks of MS12-020
The RDP vulnerability is rated as Critical by Microsoft and allows a remote unauthenticated attacker to execute arbitrary code on a vulnerable system.
- The vulnerability applies to most versions of Microsoft Windows.
- The vulnerability allows remote code execution from an unauthenticated attacker.
- Often, RDP is permitted in from the Internet on the default port to manage various systems.
- Once an exploit becomes available, attackers can easily exploit the vulnerability on exposed and unpatched systems. Automated attacks are possible.
- It’s not all about attacks from the Internet; internally exposed RDP servers can be targeted by malicious internal users or by malware in case an internal machine becomes infected.
The “good” part
The impact of MS12-020 over your environment may vary:
- Microsoft anticipates that exploit code will be developed in the next 30 days; the vulnerability was privately reported and so far public exploit code is unavailable. There is a window to apply the patch.
- Normally RDP is not enabled by default on standard Windows installations.
- If you enabled RDP and also configured Network Level Authentication (NLA, available on Windows Vista and later Windows versions), this may help as it first authenticates the user; so attackers must authenticate before attempting to exploit the vulnerability.
- Changing the default 3389 TCP port on which RDP listens for incoming connections may mitigate against script kiddies and automated attacks.
How to protect yourself
- Apply immediately the patch on all systems.
- Never expose the RDP service directly to the Internet; it’s not the first time when RDP comes under fire.
- Access from the Internet securely the RDP servers over VPN; SSL VPN is the most convenient way to secure RDP and prevent unauthorized access from the Internet to your RDP servers.
- Use a proper firewall to segment your internal network and restrict access to critical servers; a Next Generation Firewall (NGFW) provides great visibility into the traffic flow and helps you monitor and granularly control what happens on your network.
Another vulnerability was exposed in Microsoft’s RDP implementation; now it’s a good time to stop allowing direct RDP access from the Internet to your servers.