Serious Vulnerabilities found in Windows Remote Desktop Protocol Clients
February 6, 2019 | Filed Under: Check PointSecuritySecurity News
Whether you’re working from home or performing tech support within your organization, few methods are as helpful and commonplace as remote desktop management. With any tool that handles user authentication and provides remote control of computers over the Internet, the potential for abuse is enormous. The dangers were emphasized strongly this week by a new report from Check Point Research. Their analysts uncovered 16 major vulnerabilities in popular, widely used Remote Desktop Protocol clients.
When Microsoft’s Remote Desktop Protocol works as intended, it allows an authorized user (using the RDP client) to take control of a session on the remote machine (the RDP host). Check Point Research’s team managed to flip the script: the RDP server was modified to take control of the client. Though the exploit details vary from client to client, many revolve around time-tested hacking “classics” like buffer overflows. In simplified terms, the maliciously modified RDP host will send the RDP client more data than it reserved space for in memory, and thereby overwrite valid program data with instructions of the attacker’s choosing.
These exploits could wreak havoc within an otherwise secure network. If a malicious user within a large company modified their RDP server (or if an innocent user was tricked into doing so), and asked an IT administrator to remote in to solve a problem, they could subsequently execute commands using the account privileges of that administrator.
Who Is Affected?
Not all remote desktop applications in common usage have been implicated. TeamViewer, for example, uses a proprietary protocol distinct from Microsoft’s RDP standard. VNC clients are also unaffected, operating by different mechanisms. This is not license to be cavalier with non-RDP remote desktop safety, but the urgency is somewhat reduced if you are not using tools that implement Microsoft’s RDP.
If you or your users may be using tools like FreeRDP, rdesktop or any similar application, it is necessary to immediately install the patches released to address the above vulnerabilities. Since notice was provided to the developers of these applications well before the article’s publication, it is possible that you are already patched, but this is something you must carefully verify. A full list of vulnerabilities and patches can be found in the linked Check Point Research article.