If it seems like Remote Desktop Protocol (RDP) has been around forever, that’s because (at least compared to many technologies that have gone up and down in just a few years.) An early version, known as “Remote Desktop Protocol 4.0,” was released in 1996 as part of the Windows NT 4.0 Terminal Server edition and allowed users to access and control a Windows-based computer remotely over a network connection.
In the following decades, RDP has become a widely used protocol for remote access and administration of Windows-based systems. RDP plays a critical role in enabling remote work, IT support, and systems management and has served as the basis for various remote desktop solutions and virtual desktop infrastructure (VDI).
The downside to the widespread use of RDP is that Remote Code Execution (RCE) vulnerabilities in RDP gateways can have severe consequences, potentially causing significant damage and compromising the security and integrity of affected systems. From an attacker’s perspective, exploiting the RCE vulnerability is a way to achieve unauthorized access to affected systems, allowing them to gain control of the system, bypass security measures, and perform malicious actions that can include lateral movement, data exfiltration, malware deployment, system tampering, and more.
It is important to note that the severity of the impact will depend on a variety of factors, including the specific vulnerability, the intent and capability of the attacker, the importance of the systems being targeted, and the security measures implemented. However, given the potential for unauthorized access, data breaches, and system compromise, the RCE vulnerability in RDP is considered a critical security issue that requires immediate attention and mitigation.
Surprisingly (tongue in cheek), Microsoft recently published a security bulletin for such a scenario. Please patch!
DLL Hijacking Used to Exploit RDP – CVE-2023-24905
Leveraging dynamic link library (DLL) hijacking, the RDP client is compromised when it tries to load files from the current working directory (CWD) instead of the Windows OS directory.
“It became clear that we could spoof the loaded resources by changing the icon and strings in the DLL, which would present an interesting phishing attack vector. In this scenario, an attacker could manipulate visual elements, such as the icon and strings inside the DLL, to mislead the user into taking a certain action. For example, by changing the icon and string, the attacker could make the error message look like a legitimate system notification or change a malicious action (such as downloading a file) to something apparently harmless (such as performing a software update).”
RCE stems from turning a DLL string into a malicious file, placing it in a commonly accessed file share location, and then tricking the user into running it. Interestingly, this exploit only affects devices running Windows OS on advanced RISC engine (ARM) processors. Both RDP & Windows OS on ARM are commonly used in industrial control systems (ICS) and other operational technology (OT) environments, making industrial and critical infrastructure companies prime targets for these exploits.
RDP Gateway Vulnerability Could Threaten Compliance – CVE-2023-35332
Under normal operation, the RDP Gateway protocol creates a primary secure channel using Transport Control Protocol (TCP) and Transport Layer Security (TLS) version 1.2, widely accepted protocols for secure communications. Additionally, the secondary channel is created via the user datagram protocol (UDP), implementing datagram transport layer security (DTLS) 1.0. It is important to note that DTLS 1.0 has been deprecated since March 2021 due to known vulnerabilities and security risks.
“This RDP Gateway vulnerability presents a substantial security risk and significant compliance issue. Use of outdated and outdated security protocols, such as DTLS 1.0, can lead to unintentional non-compliance with industry standards and regulations.”
The secondary UDP channel is a cause for concern, mainly because it uses a protocol with many known issues (DTLS 1.0). The biggest challenge is that carriers may not even know they are not compliant with these outdated protocols.
To avoid the consequences of this vulnerability, the best thing to do is to update your RDP client and gateway with the patch that Microsoft has released. But inevitably, there will be another RCE on RDP, and that means an important next step is to outperform threat actors by implementing strong access controls. As RDP is widely used in OT/ICS environments where it is almost impossible to patch, it is very important for organizations running these systems find security tools that meet specific requirements regarding system availability, operational safety, and others.