Wednesday, March 28, 2012

Reflections about the RDP (MS12-020) Vulnerability

It is no longer news to anyone, involved with information security, that a critical vulnerability was identified in the Remote Desktop Protocol service (RDP - 3389/tcp). This vulnerability was reported in the famous "super tuesday" of Microsoft, in March 2012. Basically, it's a vulnerability that allows remote exploitation of the server/desktop (more details here: http://technet.microsoft.com/en-us/security/bulletin/ms12-020).
There already exists a tool that causes denial of service on a vulnerable system. It's just a matter of time until we have a fully active worm exploiting this vulnerability and spreading in an uncontrolled manner. Uncontrolled? But after all, isn't this service disabled by default


Yes, but... 


As usual, we have some sins on firewall configurations. Want an example? Just remember Slammer... Why the hell someone enabled (and still enables) direct access to a database from the internet? If this is REALLY necessary, why not to restrict the access from specific IP addresses? The same question obviously also applies to RDP access, with the aggravating factor that this service is not enabled by default (ie, we have to consciously enable it).
It's really important to adopt a secure architecture, regardless of the existence of a vulnerability. 
Zerodays are always a reality ...


Additional information:


http://aluigi.org/adv/termdd_1-adv.txt
http://seclists.org/nmap-dev/2012/q1/att-691/rdp-ms12-020.nse
http://www.metasploit.com/modules/auxiliary/dos/windows/rdp/ms12_020_maxchannelids
http://www.f-secure.com/weblog/archives/00002338.html
http://samsclass.info/123/proj10/rdp-honeypot.htm
http://blog.snort.org/2012/03/vrt-rule-release-for-03222012-ms12-020.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Snort+%28Snort%29



No comments:

Post a Comment