Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Friday January 14 2022, @05:22AM   Printer-friendly

Widespread, Easily Exploitable Windows RDP Bug Opens Users to Data Theft:

Most Windows versions are at risk of remote, unprivileged attackers abusing RDP from the inside to hijack smart cards and get unauthorized file system access.

Remote Desktop Protocol (RDP) pipes have a security bug that could allow any standard, unprivileged Joe-Schmoe user to access other connected users' machines. If exploited, it could lead to data-privacy issues, lateral movement and privilege escalation, researchers warned.

Insider attackers could, for instance, view and modify other people's clipboard data, or impersonate other logged-in users using smart cards.

The vulnerability, tracked as CVE-2022-21893, wasn't ballyhooed amid yesterday's crowded mega-dump of Patch Tuesday security updates, but it's more than worthy of scrutiny, according to a Tuesday report from CyberArk, which discovered the bug lurking in Windows Remote Desktop Services.

What's more, it's a widespread issue. The bug dates back at least to Windows Server 2012 R2, CyberArk software architect and security champion Gabriel Sztejnworcel wrote, leading the firm to conclude that the latest versions of Windows – including client and server editions – are affected.

"We can say that the majority of Windows versions in use today are affected," he confirmed. It's also easy to exploit. Microsoft said that an exploit of the vulnerability would be of low complexity[,] leading to a CVSS criticality rating of 7.7 out of 10, making it "important" in severity.

[...] As remote work has surged, cybercriminals have taken note of the increased adoption of RDP – not hard to do, given that a simple Shodan search reveals thousands of vulnerable servers reachable via the internet, along with millions of exposed RDP ports. In fact, between Q1 and Q4 2020, attacks against RDP surged by 768 percent, Dunn noted, while an October 2020 report published by Kroll identified that 47 percent of ransomware attacks were preceded by RDP compromise.

Bud Broomhead, CEO at Viakoo, observed that RDP vulnerabilities "enable some of the worst cyber-criminal activities, including planting of deepfakes, data exfiltration, and spoofing of identity and credentials."

He told Threatpost on Wednesday that while RDP is required for normal system maintenance, it can't be left to run on its lonesome. "Additional defenses like establishing a zero-trust framework and having an automated method of quickly implementing firmware fixes are needed to ensure RDP is used safely," he said via email.

Do you ever take any practical action when you see these warnings, or do you just trust your distro to issue updated software?


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Interesting) by choose another one on Friday January 14 2022, @04:05PM (2 children)

    by choose another one (515) Subscriber Badge on Friday January 14 2022, @04:05PM (#1212685)

    This.

    Quoting directly from the CVE:

    An attacker would have to convince a targeted user to connect to a malicious RDP server.

    So just another one for the scammers who are forever phoning to try and get you to use a "logmein" link or similar.

    The real story is that there are interesting ways to (ab)use an RDP connection to access your machine, ways that weren't there by design and shouldn't be there - but in all honesty if you've already been " convinced to connect to a malicious RDP server" then you're already well pwned.

    This isn't just a Windows thing, it's not difficult to find info on similar vulnerabilities based on connecting to rogue SSH server. This one for instance: https://www.theregister.com/2016/01/14/openssh_is_wide_open_to_key_theft_thanks_to_roaming_flaw/ [theregister.com]

    Starting Score:    1  point
    Moderation   +1  
       Interesting=1, Total=1
    Extra 'Interesting' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   3  
  • (Score: 0) by Anonymous Coward on Saturday January 15 2022, @02:06AM

    by Anonymous Coward on Saturday January 15 2022, @02:06AM (#1212833)

    > An attacker would have to convince a targeted user to connect to a malicious RDP server.

    That's what M$ says, but the researchers say:

    "This vulnerability enables any standard unprivileged user connected to a remote machine via remote desktop to gain file system access to the client machines of other connected users, to view and modify clipboard data of other connected users, and to impersonate the identity of other users logged on to the machine using smart cards."

    The Basic Attack
    1. An attacker connects to a remote machine via RDP
    2. ...

  • (Score: 1, Informative) by Anonymous Coward on Sunday January 16 2022, @12:44PM

    by Anonymous Coward on Sunday January 16 2022, @12:44PM (#1213108)

    My father was scammed like this. Yes, he fell for it. I explained later that 'Microsoft' does not help anyone unless you pay first. Indian scammers. It failed at the point where they wanted him to download the .exe for the remote software because his browser asked him to confirm if he really wanted to do this and their script didn't cover the scenario.

    My father is getting old. Tricking people who are vulnerable is just evil.