Exchange Server | Murat Bilici

"Empower your knowledge"

“MS12-020 Vulnerabilities in Remote Desktop Could Allow Remote Code Execution”

The March Security Bulletin release from Microsoft was relatively light in volume. Out of the six bulletins released, only one was rated as Critical.

And for good reason. MS12-020 includes CVE-2012-0002. This flaw is specific to the Remote Desktop Protocol (RDP) present on most current versions of Microsoft Windows. The RDP service, by default, listens on TCP port 3389. And because it’s so darn convenient, lots of people like to open their firewalls/ingress points to the traffic.

This is a bad/dangerous/insecure thing. (Choose your own favorite term.) I hope this issue (and many others before it) will influence anyone’s decision-making process when it comes to network hardening, external access, etc.

This is certainly not the first flaw in RDP. It is quite significant in that it does not require authentication to exploit the flaw–just a firing of some specially crafted packets. From that point the world (or the world that the compromised host lives in) is the attacker’s oyster. This is especially bad because the RDP service runs in kernel mode, under the System account (in most cases).

Keep in mind that it is very easy and takes little time to find targets. You see this type of situation all too often:

20120315-224506.jpg

This situation very quick leads to an intruder’s trying to login via brute force, or trying something new (like the flaw described in MS12-020) !

20120315-224737.jpg

So, what can you do to protect your environment?

McAfee, Microsoft, and others firmly recommend that you prioritize the deployment of the MS12-020 update.

Other steps:

- RDP is typically disabled by default. If there is any doubt, investigate and confirm in your environment whether and where it running.

- In Windows Vista or later, enable Network Level Authentication (NLM)

- Even if you have NLM enabled, the flaw can be exploited if the attacker can gain authentication.

- This means you should verify strong (nondefault, sufficiently complex) user/password combinations.

Resources

- CVE-2012-0002: A closer look at MS12-020′s critical issue

- Microsoft Security Bulletin MS12-020

- McAfee Vulnerability Manager

- McAfee Coverage Data

Coverage exists in:

- McAfee Vulnerability Manager (FSL release): 3/13/2012

- McAfee Network Security Platform (Sig release): 3/13/2012

- McAfee Remediation Manager (V-Flash): 3/13/2012

Categories: Fix - Security