Details of Twice-Patched Windows RDP Vulnerability Disclosed

Researchers at identity security firm CyberArk this week shared technical information on an RDP named pipe vulnerability in Windows for which Microsoft had to release two rounds of patches.

Tracked as CVE-2022-21893, the issue was initially addressed on January 2022 Patch Tuesday, but an analysis of the fix revealed that a new attack vector had not been patched. On April 2022 Patch Tuesday, Microsoft resolved the bug as CVE-2022-24533.

CVE-2022-21893, CyberArk explains, is a Windows Remote Desktop Services vulnerability that could allow an unprivileged user who accesses a machine via RDP to access the file system of client machines of other connected users.

The issue would also allow the attacker to view and modify the data of other connected users, including clipboard contents, transferred files, and smart card PINs. An attacker could also impersonate other users logged on to the machine, and gain access to a victim’s redirected devices, including USB devices, hard drives, and more.

“This could lead to data privacy issues, lateral movement and privilege escalation,” CyberArk notes.

According to the researchers, the vulnerability exists because named pipe permissions are improperly handled in Remote Desktop Services, thus allowing a user with normal privileges to “take over RDP virtual channels in other connected sessions.”

“The named pipe was created in such a way that it allowed every user on the system to create additional named pipe server instances with the same name,” CyberArk explains.

The initial patch changed the pipe permissions, thus preventing standard users from creating named pipe servers. However, it did not address the risk associated with the creation of the first pipe server, when the user can set permissions for subsequent instances.

“In case multiple pipe instances are created with the same name, the security descriptor passed to the first call to CreateNamedPipe() will be used for all the instances. In subsequent calls, a different security descriptor can be passed, but it will be ignored. So, in case an attacker creates the first pipe instance, they can control the permissions for other instances,” CyberArk notes.

Following the April 2022 patch, a new GUID is generated for new pipes – thus preventing attackers from predicting the next pipe name – and the pipe server is created with the new unique name. Furthermore, Microsoft introduced an additional control to check the current process ID against the named pipe server process ID.

“This is an additional control guaranteeing that even if an attacker could somehow predict the GUID, the attack will not work since they will have a different process ID. In this case, the same process creates the pipe server and client (the pipe client handle is later returned to the calling process), so it is easy to perform this check. With these changes, the risks of this vulnerability have been adequately addressed,” CyberArk notes.

Related: Windows Updates Patch Actively Exploited ‘Follina’ Vulnerability

Related: Patch Tuesday: Microsoft Warns of New Zero-Day Being Exploited

Related: Windows Print Spooler Vulnerabilities Increasingly Exploited in Attacks