Penn State shield
Skip to content Skip to search

Headlines

ITS Alert - Update: Serious Vulnerability in Microsoft Remote Desktop

/alerts

ITS Alerts by Date


ITS Alerts by Service

ITS Alerts by Location

  • red boxCurrent Alert
  • green boxResolved Alert
  • orange boxFuture Alert

Update: Serious Vulnerability in Microsoft Remote Desktop

Last updated on March 20, 2012 at 4:58PM

Update on March 20, 2012 at 4:58PM

Please take note of the following urgent security message. Where possible, please help to make affected users aware of this change and support them in using the VPN service.

Last week, Microsoft announced a very serious vulnerability with the Microsoft Remote Desktop Protocol (MS RDP), a protocol that provides remote display and input capabilities over network connections for Windows-based applications running on a server. Though Microsoft has also issued a patch for the primary vulnerability, the severity of the potential impact related to unpatched systems at Penn State is significant. As a result, Penn State will begin blocking incoming port 3389 on Wednesday, March 21, 2012.

MS RDP, by default, uses port 3389, and this port is open at the University and is continually scanned by attackers. Normally attackers are attempting to guess a valid username and password on the machine. This is of particular concern because a working exploit could turn into a self spreading worm that infects all unprotected Windows systems running Remote Desktop.

While users can still use MS RDP after the block, he/she will need to use the Penn State\'s Virtual Private Network (VPN) in order to do so. See: http://kb.its.psu.edu/node/891

Additional information about this vulnerability is found in the ITS Alert at: http://alerts.its.psu.edu/alert-2262/

Inquiries and requests for assistance regarding this vulnerability should be directed to security@psu.edu.

Original Alert

Background

On March 13, 2012, Microsoft released Advisory 2671387[1] which stated
that Microsoft has fixed a vulnerability in Microsoft Remote Desktop
Protocol (RDP) that if exploited could grant complete control to an
attacker.

Impact

On a computer running Microsoft Remote Desktop in a default
configuration, an attacker without credentials can send a specially
crafted sequence of data to the computer and gain complete control
of the vulnerable computer.

Platforms Affected

This affects all supported versions of Microsoft Windows.

Observations

By default, RDP uses TCP port 3389. This port is open at the
University and is continually scanned by attackers. Normally the
attackers are attempting to guess a valid username and password on
the machine. ITS Security Operations and Services Office has not
observed a major increase in traffic as of March 16, 2012.

However, as of March 16, 2012, a bounty of almost $1500 USD has been offered
for a working exploit[2]. While SOS believes attackers attempt to
develop exploits after every vulnerability announcement, this
vulnerability is of particular concern because a working exploit could turn into
a self spreading worm that infects all unprotected Windows systems
running Remote Desktop.

Recommendations

Microsoft Security Bulletin MS12-020 included a patch that should be
applied as soon as possible. Microsoft expects working exploits to
be in use within weeks (if not sooner).

Workarounds

The suggestions below will not fix the underlying vulnerabilty, but
provide defense in depth against possible attacks. Detailed
explanations of each workaround can be found in the Microsoft
Bulletin MS12-020[1].

Disable Remote Desktop

Best practice is to disable unnecessary services on a machine.
If Remote Desktop is not needed, disable it.

Limit Access to TCP Port 3389 via a Firewall

Only allow connections from trusted IP ranges. For example, limit
TCP 3389 to only the University and require users to connect to the
University VPN service before using RDP.

Enable Network Level Authentication on Modern Windows Systems

If you only use Windows Vista, Windows 7, Server 2008, and Server
2008 R2, as RDP clients, you can enable Network Level Authentication
and force a user to authenticate before being allowed to use RDP.

Further Reading

CVE-2012-0002: A closer look at MS12-020\'s critical issue[3]
Strength, flexibility and the March 2012 security bulletins[4]

[1] http://technet.microsoft.com/en-us/security/bulletin/ms12-020
[2] http://blog.spiderlabs.com/2012/03/the-race-for-ms12-020.html
[3] http://blogs.technet.com/b/srd/archive/2012/03/13/cve-2012-0002-a-closer-look-at-ms12-020-s-critical-issue.aspx
[4] http://blogs.technet.com/b/msrc/archive/2012/03/13/strength-flexibility-and-the-march-2012-security-bulletins.aspx

For more information, please contact security@psu.edu (814.863.9533).


Back to ITS Alerts

Impact Information

  • Incident Type:
    General Information
  • Services affected:
    Security
  • Locations affected:
    All locations
  • Start time:
    March 16, 2012 at 7:30PM
  • Estimated resolution time:
    ASAP