September 25, 2016

Microsoft’s RDP Bug Exposing 5 Million Hosts to Potential Attack

(LiveHacking.Com) – The impact of the RDP bug which Microsoft patched as part of this month’s Patch Tuesday is continuing to grow. Dan Kaminsky, who is best known for his work finding a critical DNS and for helping to fix it, has initiated a scan of the Internet and by extrapolating the data from the 8% sample (some 300 million IP addresses) it seems that there are about five million RDP endpoints on the Internet today.

With a proof of concept exploit already circulating in the wild this means that, unless updated to apply the latest patches, these five million servers are vulnerable to a real, palpable attack. Not a theoretical vulnerability but real exposure. Since RDP is the way most Windows systems are remotely administered, this vulneravility is now being seen on a whole different scale.

“There’s a very good chance that your network is exposing some RDP surface. If you have any sort of crisis response policy, and you aren’t completely sure you’re safe from the RDP vulnerability, I advise you to invoke it as soon as possible,” wrote Dan on his blog.

For those who haven’t yet applied Microsoft’s patches there is a way to substantially reduce the risk on Windows Vista and later systems where RDP is enabled: By enabling Remote Desktop’s Network Level Authentication (NLA) users are forced to authenticate before a remote desktop session is established. On systems with NLA enabled, the vulnerable code is still present and could potentially be exploited for code execution. However, NLA would require an attacker to first authenticate to the server before attempting to exploit the vulnerability.  You can find instructions here to enable NLA.

Share and Enjoy:
  • Print
  • Digg
  • StumbleUpon
  • del.icio.us
  • Facebook
  • Yahoo! Buzz
  • Twitter
  • Google Bookmarks