RDP flaw a harbinger of breaches

A vulnerability in Microsoft's Remote Desktop Protocol (RDP) is predicted to cause mayhem for organisations this year with small businesses most notably at risk.

The flaw, announced in a patch tuesday release overnight (CVE 2012-0002) provides attackers with remote access to networks that have RDP enabled.

Attackers could execute code at a priveleged level without the need to provide credentials, if the target machine does not have network-level authentication enabled. 

And many do not, according to experts.

"We will still be exploiting this in a year," said Chris Gatford, director of penetration testing firm HackLabs. "There hasn't been anything this serious in years."

He said almost all organisations run RDP internally and about a third have the service activated externally, notably to connect to cloud computing services.

Security consultant Casey Ellis said exploits for the hole would be developed within weeks.

"Someone will create a worm soon for this," he said. "Over the coming weeks, we'll not be talking about seeing risk to businesses -- we'll be talking about them getting owned."   

He said countless small businesses would have RDP enabled both internally and many externally for remote access.

"I haven't seen anything this bad since Sasser or Blaster."

Ellis has today registered the web site RDPcheck and will create a "quick and dirty" tool that will check whether a machine is vulnerable to the flaw.

Microsoft recommended that customers apply Network Level Authentication which would mitigate the attack prior to applying the patch, but Gatford pointed out that this would cut off connectivity for XP machines. 

He said users should run RDP behind gateways. Windows XP users could download and enable CredSSP, while users running Terminal Services Gateway should restrict access to the host to known and trusted networks.

Microsoft said RDP was disabled by default adding it was not aware of attacks against the privately-reported vulnerability.

"Due to the attractiveness of this vulnerability to attackers, we anticipate that an exploit for code execution will be developed in the next 30 days," the company said.

Kaspersky senior security researcher Kurt Baumgartner said organisations could be compromised if staff RDP-enabled laptops were infected at public WI-Fi hotspots. 

"Once infected, they bring back the laptop within the 'walled castle' and infect large volumes of other connected systems from within.".

Copyright © SC Magazine, Australia