Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Friday January 14 2022, @05:22AM   Printer-friendly [Skip to comment(s)]

Widespread, Easily Exploitable Windows RDP Bug Opens Users to Data Theft:

Most Windows versions are at risk of remote, unprivileged attackers abusing RDP from the inside to hijack smart cards and get unauthorized file system access.

Remote Desktop Protocol (RDP) pipes have a security bug that could allow any standard, unprivileged Joe-Schmoe user to access other connected users' machines. If exploited, it could lead to data-privacy issues, lateral movement and privilege escalation, researchers warned.

Insider attackers could, for instance, view and modify other people's clipboard data, or impersonate other logged-in users using smart cards.

The vulnerability, tracked as CVE-2022-21893, wasn't ballyhooed amid yesterday's crowded mega-dump of Patch Tuesday security updates, but it's more than worthy of scrutiny, according to a Tuesday report from CyberArk, which discovered the bug lurking in Windows Remote Desktop Services.

What's more, it's a widespread issue. The bug dates back at least to Windows Server 2012 R2, CyberArk software architect and security champion Gabriel Sztejnworcel wrote, leading the firm to conclude that the latest versions of Windows – including client and server editions – are affected.

"We can say that the majority of Windows versions in use today are affected," he confirmed. It's also easy to exploit. Microsoft said that an exploit of the vulnerability would be of low complexity[,] leading to a CVSS criticality rating of 7.7 out of 10, making it "important" in severity.

[...] As remote work has surged, cybercriminals have taken note of the increased adoption of RDP – not hard to do, given that a simple Shodan search reveals thousands of vulnerable servers reachable via the internet, along with millions of exposed RDP ports. In fact, between Q1 and Q4 2020, attacks against RDP surged by 768 percent, Dunn noted, while an October 2020 report published by Kroll identified that 47 percent of ransomware attacks were preceded by RDP compromise.

Bud Broomhead, CEO at Viakoo, observed that RDP vulnerabilities "enable some of the worst cyber-criminal activities, including planting of deepfakes, data exfiltration, and spoofing of identity and credentials."

He told Threatpost on Wednesday that while RDP is required for normal system maintenance, it can't be left to run on its lonesome. "Additional defenses like establishing a zero-trust framework and having an automated method of quickly implementing firmware fixes are needed to ensure RDP is used safely," he said via email.

Do you ever take any practical action when you see these warnings, or do you just trust your distro to issue updated software?


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 4, Informative) by drussell on Friday January 14 2022, @05:54AM

    by drussell (2678) Subscriber Badge on Friday January 14 2022, @05:54AM (#1212620) Journal

    -1 points, don't use Windows...

  • (Score: 4, Insightful) by jb on Friday January 14 2022, @06:06AM

    by jb (338) on Friday January 14 2022, @06:06AM (#1212622)

    Try this instead:

    Widespread, Easily Exploitable Windows RDP Bug Opens Users to Data Theft

    Just as accurate, but more succinct and will stay true for much longer (most likely forever).

  • (Score: 2, Interesting) by Anonymous Coward on Friday January 14 2022, @06:53AM (8 children)

    by Anonymous Coward on Friday January 14 2022, @06:53AM (#1212628)

    As I read about this RDP bug it looks more and more like this:
    1. User connects to the remote server
    2. The server pastes the clipboard.
    3. The server alters the pasted contents.
    4. Then it copies it back.
    Isn't it the feature of RDP? The shared clipboard?
    So... the solution is what?
    Disabling the clipboard entirely?
    Making the shared clipboard a premium feature paid with microtransactions?

    • (Score: 3, Insightful) by Booga1 on Friday January 14 2022, @10:57AM (4 children)

      by Booga1 (6333) on Friday January 14 2022, @10:57AM (#1212650)

      I do find it to be an interesting flaw and it is serious. However, sounds like you have to be remoting into an already compromised system or tricked into thinking you're going to RDP to a trusted system first. I'd say only an idiot would RDP into an unknown system, but there are a lot of idiots out there.

      If I understand it correctly, this exploit allows the attacker to basically man-in-the-middle devices connected to the victim as well as clipboard info. The smart card being vulnerable to this really bad. If they can do that then they have your user/identity and they're on the same machine as you now. It sounds like a great way to get lateral movement into a network or an initial foothold, but it's not some 10 out of 10 vulnerability like log4j.

      • (Score: 1, Informative) by Anonymous Coward on Friday January 14 2022, @12:03PM

        by Anonymous Coward on Friday January 14 2022, @12:03PM (#1212653)

        "This vulnerability enables any standard unprivileged user connected to a remote machine via remote desktop to gain file system access to the client machines of other connected users, to view and modify clipboard data of other connected users, and to impersonate the identity of other users logged on to the machine using smart cards."

        https://www.cyberark.com/resources/threat-research-blog/attacking-rdp-from-inside [cyberark.com]

      • (Score: 3, Interesting) by choose another one on Friday January 14 2022, @04:05PM (2 children)

        by choose another one (515) Subscriber Badge on Friday January 14 2022, @04:05PM (#1212685)

        This.

        Quoting directly from the CVE:

        An attacker would have to convince a targeted user to connect to a malicious RDP server.

        So just another one for the scammers who are forever phoning to try and get you to use a "logmein" link or similar.

        The real story is that there are interesting ways to (ab)use an RDP connection to access your machine, ways that weren't there by design and shouldn't be there - but in all honesty if you've already been " convinced to connect to a malicious RDP server" then you're already well pwned.

        This isn't just a Windows thing, it's not difficult to find info on similar vulnerabilities based on connecting to rogue SSH server. This one for instance: https://www.theregister.com/2016/01/14/openssh_is_wide_open_to_key_theft_thanks_to_roaming_flaw/ [theregister.com]

        • (Score: 0) by Anonymous Coward on Saturday January 15 2022, @02:06AM

          by Anonymous Coward on Saturday January 15 2022, @02:06AM (#1212833)

          > An attacker would have to convince a targeted user to connect to a malicious RDP server.

          That's what M$ says, but the researchers say:

          "This vulnerability enables any standard unprivileged user connected to a remote machine via remote desktop to gain file system access to the client machines of other connected users, to view and modify clipboard data of other connected users, and to impersonate the identity of other users logged on to the machine using smart cards."

          The Basic Attack
          1. An attacker connects to a remote machine via RDP
          2. ...

        • (Score: 1, Informative) by Anonymous Coward on Sunday January 16 2022, @12:44PM

          by Anonymous Coward on Sunday January 16 2022, @12:44PM (#1213108)

          My father was scammed like this. Yes, he fell for it. I explained later that 'Microsoft' does not help anyone unless you pay first. Indian scammers. It failed at the point where they wanted him to download the .exe for the remote software because his browser asked him to confirm if he really wanted to do this and their script didn't cover the scenario.

          My father is getting old. Tricking people who are vulnerable is just evil.

    • (Score: -1, Redundant) by Anonymous Coward on Friday January 14 2022, @12:01PM

      by Anonymous Coward on Friday January 14 2022, @12:01PM (#1212652)

      "This vulnerability enables any standard *unprivileged user* connected to a remote machine via remote desktop to *gain file system access to the client machines of other connected users*, to *view and modify clipboard data of other connected users*, and to *impersonate the identity of other users* logged on to the machine using smart cards."

    • (Score: 4, Interesting) by Anonymous Coward on Friday January 14 2022, @12:16PM (1 child)

      by Anonymous Coward on Friday January 14 2022, @12:16PM (#1212656)

      Back in the Windows Server 2003 days, I had to work with a customer who blocked the ability to copy and paste from their RDP connection. I was not going to retype whole blocks of text to get work done. One day I found out that you could open Outlook on the server, start a Rich Text message, start a Rich Text message on your workstation, and copy and paste between the two RTF messages remotely. Never told anyone about it though. Would not be surprised if the method still worked with the current versions.

      • (Score: 1, Interesting) by Anonymous Coward on Friday January 14 2022, @08:36PM

        by Anonymous Coward on Friday January 14 2022, @08:36PM (#1212756)

        I had an unpleasant experience with RDP machine with file transfers in both sides blocked. The machine runs computer simulations. So users spend hours converting their data and solids models (literally STLs) to text, copypaste it into the machine and do the same with results but in the other direction. A few years ago I discovered the shared clipboard and used it, especially when I wanted to help someone - I copied the data, other user could paste it. I had no idea that this feature is an exploit.
        In my original post I was not writing only about the clipboard shared between client and server, but between server users too. If configured properly, it works somewhat like a big, global X11's Primary: I copy the data, another user activates the same program (doesn't need to be the same window), the user can copy the data.

  • (Score: -1, Flamebait) by Anonymous Coward on Friday January 14 2022, @07:09AM

    by Anonymous Coward on Friday January 14 2022, @07:09AM (#1212631)

    Insider attackers could, for instance, view and modify other people's clipboard data, or impersonate other logged-in users

    Oh Noes! Run away! It's Aristarchus!!!

  • (Score: 4, Interesting) by inertnet on Friday January 14 2022, @12:00PM

    by inertnet (4071) Subscriber Badge on Friday January 14 2022, @12:00PM (#1212651)

    Do you ever take any practical action when you see these warnings

    Whenever I need a Windows server, I install IPBan [github.com] on it. It does a good job of keeping the RDP attackers out.

  • (Score: 5, Insightful) by Runaway1956 on Friday January 14 2022, @02:32PM (5 children)

    by Runaway1956 (2926) Subscriber Badge on Friday January 14 2022, @02:32PM (#1212669) Homepage Journal

    He told Threatpost on Wednesday that while RDP is required for normal system maintenance,

    Uhhh, excuse me? Required for normal system maintenance? Nonsense. RDP is one of the things I disable immediately after a new installation of Windows. "Normal" maintenance is not affected, in the slightest. "Remote" mainenance is inhibited - and that is the whole point of disabling the service. I don't need or want remote maintenance and/or administration. Which means, unless you are in a corporate environment, and the IT people insist on remote administration, it is safe to turn off RDP. To be clear, Remote Desktop Protocol is a backdoor exploit into your machine. If, and only if, your employer requires it should it ever be turned on.

    Why can't anyone be honest about all that nonsense? Threatpost is supposed to be concerned about security? They they should clearly state that the average user should simply disable the service.

    --
    There is a supply side shortage of pronouns. You will take whatever you are offered.
    • (Score: 0) by Anonymous Coward on Friday January 14 2022, @03:52PM

      by Anonymous Coward on Friday January 14 2022, @03:52PM (#1212682)

      That post reads so much better in the voice of Miss Emily Litella.

      Never mind.

    • (Score: 0) by Anonymous Coward on Friday January 14 2022, @05:33PM (1 child)

      by Anonymous Coward on Friday January 14 2022, @05:33PM (#1212704)

      At my workspace, we have a locked down Windows desktop (corporate policy). But as a Linux admin I also have a Linux desktop I can do with as I please (not corporate policy). I have to use the Windows desktop for some applications that won't work from Linux. Mostly time tracking and sharepoint. For this I use RDP from my Linux desktop. Soon our physical Windows desktop will move to a virtual desktop. I'm already using a virtual Windows desktop via RDP. It's exactly the same as my physical desktop, only faster. In the near future my physical Windows desktop will be removed and all I'll have is RDP to a virtual Windows desktop to do my work. I have no control over the WIndows environment to install alternatives. To be honest, it's a wonder they allow RDP at all, but I suspect many in the company have a need to remote into their desktops.

      So ya, RDP "IS" required fro normal system maintenance. Pretending otherwise ignores the realities of remote work.

      • (Score: 2) by Runaway1956 on Friday January 14 2022, @10:41PM

        by Runaway1956 (2926) Subscriber Badge on Friday January 14 2022, @10:41PM (#1212789) Homepage Journal

        Hmmmm. I said

        unless you are in a corporate environment, and the IT people insist on remote administration

        Then you said

        At my workspace, we have a locked down Windows desktop (corporate policy)

        We seem to be at odds here about what an "average user" is. To me, "average user" would be a private citizen, using his own privately owned hardware, to do as he damned well pleases, without any corporate guidance or intervention. You, on the other hand, are representing a completely different group of users, commonly known as "Enterprise".

        --
        There is a supply side shortage of pronouns. You will take whatever you are offered.
    • (Score: 4, Interesting) by Subsentient on Friday January 14 2022, @10:07PM

      by Subsentient (1111) Subscriber Badge on Friday January 14 2022, @10:07PM (#1212783) Homepage Journal

      I don't deal with Windows shit, period. All my systems are Linux or at least BSD, and even when I do need to talk to Windows, I use the same tool I use everywhere else -- ssh. If I need another tool, I'll tunnel it through ssh, but not open a port to a different service.

      --
      "It is no measure of health to be well adjusted to a profoundly sick society." -Jiddu Krishnamurti
    • (Score: 2) by Ingar on Saturday January 15 2022, @11:44AM

      by Ingar (801) on Saturday January 15 2022, @11:44AM (#1212895) Homepage

      Remote sessions are disabled by default on a new Windows installation. Remote Assistance is enabled though.

      Any sufficiently large IT environment is using some form of remote desktop solution these days.
      If they don't use one for security reasons, I usually make an offer for an on-site intervention.
      People quickly change their minds when confronted with the real costs of security.

      The average user doesn't install windows, the average user doesn't manage services. The average user doesn't care.

  • (Score: 1, Interesting) by Anonymous Coward on Saturday January 15 2022, @02:15PM

    by Anonymous Coward on Saturday January 15 2022, @02:15PM (#1212918)

    You can't be exploited if you remove RDP and remote assistance with DISM / NTLite. You probably can't install the patch either but fair is fair.

(1)