uTalk

thrive

Member

Registered: 2023-01-04

Posts: 2,018

Several More Reasons Why RDP Is Risky

When compared to the numerous technologies that come and go in a matter of years, Remote Desktop Protocol (RDP) appears to have existed forever. The first iteration, called "Remote Desktop Protocol 4.0," was made available in 1996 as a component of the Windows NT 4.0 Terminal Server edition and allowed users to access and manage Windows-based computers remotely over a network connection.

RDP has grown in popularity over the years as a protocol for remote access and management of Windows-based systems. RDP is a key component of remote work, IT support, and system management and it has been the basis for many remote desktop and virtual desktop infrastructure (VDI) solutions.

The disadvantage of the widespread use of RDP is that a Remote Code Execution (RCE) vulnerability in an RDP gateway can have serious repercussions, potentially causing significant harm and jeopardizing the security and integrity of the impacted system. An RCE vulnerability can be exploited from the standpoint of an attacker to gain unauthorized access to the impacted system, circumvent security safeguards, and carry out malicious operations like lateral movement, data exfiltration, malware deployment, system disruption, and more.

It's important to remember that the impact's severity will vary depending on a number of variables, including the vulnerability in question, the motivation and resources of the attacker, the significance of the targeted system, and the security precautions in place. RCE vulnerabilities in RDP are nonetheless regarded as a critical security concern that calls for immediate attention and mitigation given the possibility for unauthorized access, data breaches, and system compromise.

Unexpectedly, Microsoft has recently released security bulletins for just such a situation (tongue firmly in cheek). Patch, please!

RDP Exploitation Through DLL Hijacking - CVE-2023-24905.
When the RDP client attempted to load a file from the current working directory (CWD) rather than the Windows OS directory, the RDP client was vulnerable due to dynamic link library (DLL) hijacking.

It soon became obvious that we could spoof resources loaded by altering the icons and strings in the DLL, which would make for an intriguing phishing attack vector. In this case, the user might be tricked into taking specific actions by an attacker who manipulates the visual components, like icons and strings, within the DLL. By altering the icons and strings, an attacker could, for instance, make an error message appear to be a genuine system notification or change a potentially dangerous action, like downloading a file, into one that seems harmless, like running a software update. ".

The DLL string is altered to become a malicious file, which is then uploaded to a frequently visited file sharing location and tricked into running by a user.
This is how the RCE works.
It's interesting to note that this exploit only impacted Windows OS-powered devices with ARM processors. Industrial control systems (ICS) and other operational technology (OT) environments frequently use both RDP and Windows OS on ARM, making these environments prime targets for this exploit. Industrial enterprises and critical infrastructure are also prime targets for this exploit.

RDP Gateway Vulnerability May Endanger Compliance - CVE-2023-35332.
Transport Control Protocol (TCP) and Transport Layer Security (TLS) version 1.2, two widely used protocols for secure communication, are used by the RDP Gateway protocol to establish a primary secure channel during normal operation. Additionally, a second channel is established using the user datagram protocol (UDP) and DTLS 1.0. As a result of well-known security risks and vulnerabilities, DTLS 1.0 has been deprecated since March 2021.

"This RDP Gateway flaw poses both a serious security risk and a major compliance problem. The use of out-of-date and deprecated security protocols, like DTLS 1.0, may unintentionally violate industry standards and laws. ".

The secondary UDP channel raises suspicions, especially given that it employs DTLS 1.0, a protocol with a long history of security flaws. The biggest issue is that some operators may not even be aware that they are not following this dated protocol.

The end.

The best course of action is to update your RDP clients and gateways with the Microsoft patches in order to avoid the effects of these vulnerabilities. However, other RCEs on RDP will inevitably exist, making it imperative to implement effective access controls in order to stay ahead of threat actors. Since RDP is frequently used in OT/ICS environments that are practically impossible to patch, it's crucial that businesses using these systems find security tools that satisfy their unique needs for system availability, operational safety, and other factors.