Now on Demand: Threat Detection and Incident Response (TDIR) Summit - All Sessions Available
Connect with us

Hi, what are you looking for?



Details of Twice-Patched Windows RDP Vulnerability Disclosed

Researchers at identity security firm CyberArk this week shared technical information on an RDP named pipe vulnerability in Windows for which Microsoft had to release two rounds of patches.

Researchers at identity security firm CyberArk this week shared technical information on an RDP named pipe vulnerability in Windows for which Microsoft had to release two rounds of patches.

Tracked as CVE-2022-21893, the issue was initially addressed on January 2022 Patch Tuesday, but an analysis of the fix revealed that a new attack vector had not been patched. On April 2022 Patch Tuesday, Microsoft resolved the bug as CVE-2022-24533.

CVE-2022-21893, CyberArk explains, is a Windows Remote Desktop Services vulnerability that could allow an unprivileged user who accesses a machine via RDP to access the file system of client machines of other connected users.

The issue would also allow the attacker to view and modify the data of other connected users, including clipboard contents, transferred files, and smart card PINs. An attacker could also impersonate other users logged on to the machine, and gain access to a victim’s redirected devices, including USB devices, hard drives, and more.

“This could lead to data privacy issues, lateral movement and privilege escalation,” CyberArk notes.

According to the researchers, the vulnerability exists because named pipe permissions are improperly handled in Remote Desktop Services, thus allowing a user with normal privileges to “take over RDP virtual channels in other connected sessions.”

“The named pipe was created in such a way that it allowed every user on the system to create additional named pipe server instances with the same name,” CyberArk explains.

The initial patch changed the pipe permissions, thus preventing standard users from creating named pipe servers. However, it did not address the risk associated with the creation of the first pipe server, when the user can set permissions for subsequent instances.

Advertisement. Scroll to continue reading.

“In case multiple pipe instances are created with the same name, the security descriptor passed to the first call to CreateNamedPipe() will be used for all the instances. In subsequent calls, a different security descriptor can be passed, but it will be ignored. So, in case an attacker creates the first pipe instance, they can control the permissions for other instances,” CyberArk notes.

Following the April 2022 patch, a new GUID is generated for new pipes – thus preventing attackers from predicting the next pipe name – and the pipe server is created with the new unique name. Furthermore, Microsoft introduced an additional control to check the current process ID against the named pipe server process ID.

“This is an additional control guaranteeing that even if an attacker could somehow predict the GUID, the attack will not work since they will have a different process ID. In this case, the same process creates the pipe server and client (the pipe client handle is later returned to the calling process), so it is easy to perform this check. With these changes, the risks of this vulnerability have been adequately addressed,” CyberArk notes.

Related: Windows Updates Patch Actively Exploited ‘Follina’ Vulnerability

Related: Patch Tuesday: Microsoft Warns of New Zero-Day Being Exploited

Related: Windows Print Spooler Vulnerabilities Increasingly Exploited in Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

Intelligent document processing company ABBYY has hired Clayton C. Peddy as CISO.

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

More People On The Move

Expert Insights