Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

At Least 5 Million Endpoints on the Internet Are Speaking RDP, Says Researcher

According to data collected by security researcher Dan Kaminsky, the recently disclosed RDP vulnerability in Windows has a potential attack surface equal to millions of systems. Interestingly, this data is based on scans to less than 10-percent of the Internet.

According to data collected by security researcher Dan Kaminsky, the recently disclosed RDP vulnerability in Windows has a potential attack surface equal to millions of systems. Interestingly, this data is based on scans to less than 10-percent of the Internet.

“There’s a very good chance that your network is exposing some RDP surface,” Kaminsky wrote in a blog post.

“If you have any sort of crisis response policy, and you aren’t completely sure you’re safe from the RDP vulnerability, I advise you to invoke it as soon as possible.”

RDP Endpoint Vulnerability Earlier this week, Microsoft issued a patch for a vulnerability in the Remote Desktop Protocol (RDP) and urged systems administrators to apply it as soon as possible. Industry experts issued similar statements, mirroring each other’s thoughts and promoting a ‘patch now’ stance.

One of the reasons for the urgency is that the patched flaw, if exploited in a wide scale, could lead to the creation of a nasty Worm. Nothing on the scale of Conficker to be sure, but it would be a nightmare to deal with nevertheless.

In fact, the day the patch was released from Redmond, many speculated that working proof-of-concept code targeting the flaw would appear before the month was out. As it turns out, they were correct.

On Friday, most of the Web was discussing the RDP flaw and the discovery that the code sent to ZDI by researcher Luigi Auriemma, had been published to a Chinese file hosting service. Given the nature of the code, and the fact it used the same special packet to exploit RDP that Auriemma used in his report to ZDI, Microsoft was blamed for the leak.

The leak, it’s alleged, came from Microsoft’s Active Protections Program (MAPP), which shared vulnerability information and research for this month’s fixes with other security vendors. It’s said that the code exploiting the RDP flaw could have leaked from a MAPP partner or a Microsoft employee. To be clear, this is speculation, and there is no solid evidence one way or another, but it’s worth mentioning given that a working exploit is in the wild.

Yunsun Wee, director of Trustworthy Computing for Microsoft, said in a statement that the software giant is investigating the incident.

Advertisement. Scroll to continue reading.

“The details of the proof-of-concept code appear to match the vulnerability information shared with Microsoft Active Protections Program (MAPP) partners,” Wee said. “Microsoft is actively investigating the disclosure of these details and will take the necessary actions to protect customers and ensure that confidential information we share is protected pursuant to our contracts and program requirements.”

The update, MS12-020, was the only critical patch released this month by Microsoft. While most systems have RDP disabled by default, the critical rating is due to the fact that many businesses rely on the feature for normal IT operations.

Again, the fear is that an attack against the flaw would be Worm related, such as one that targeted RDP last fall. Kaspersky Labs was the first vendor to stress the need to apply MS12-020, reminding organizations of the Morto Worm, which worked by brute forcing Administrator account passwords using a list of common passwords.

Systems that were not restricting RDP access via VPN or used a weak password were at risk then, but now, the addition of remote code execution against RDP “is pretty much as bad as it gets,” McAfee’s Dace Marcus said.

For his research, Kaminsky said that he scanned 300 million IP addresses, of which approximately 415,000 endpoints showed evidence of RDP. Extrapolated against the full 3.75 Billion IPs, about 5.1M IPs would show evidence of RDP.

“Now, some subset of these endpoints are patched, and some (very small) subset of these endpoints aren’t actually the Microsoft Terminal Services code at all. But it’s pretty clear that, yes, RDP is actually an enormously deployed service, across most networks in the world,” he noted.

“Not all bugs are equally dangerous because not all code is equally deployed. Some flaws are simply more accessible than others, and RDP — as the primary mechanism by which Windows systems are remotely administered — is a lot more accessible than a lot of people were aware of.”

Invincea’s Anup Ghosh, commenting on Kaminsky’s post, recommended that administrators block in-bound RDP to desktops at the firewall, while allowing only essential access on a case-by-case basis restricted by IP. In addition, if not needed at all, then RDP should be turned off. No matter what, the patch should be applied.

SecurityWeek reached out to Kaminsky to see if his research has expanded on the initial findings. We’ll update when we have more information.

Correction: 03/18/12 6:55PM ET – Correction on number of IPs that showed direct evidence of RDP.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.