RDP Vulnerability -- Heads Up / Question

[HTRegz]

Hey Hey,

Has anyone seen a live exploit for the new RDP vulnerability and does anyone know how serious it is?

Info @ http://www.microsoft.com/technet/sec...ry/904797.mspx
Sans Info @ http://isc.sans.org/diary.php

I run RDP and I'm wondering if, for the mean time, I should be disabling the service.... I haven't seen any mention of it on most of my usual stomping grounds, so it leads me to believe that it's not that big yet...

It looks like it's just a blue screen if you follow this thread

https://www.immunitysec.com/pipermai...ly/002185.html

Anyways.... any word on the severity of this?

Peace,
HT

[XTC46]

yea, im going to have to look into this now becasue i use RDP a lot. I also have clients that use term server religiously which would be effected also. Thanks for the heads up.

[Tiger Shark]

The best two recommendations I have seen - which are good sense anyway - are:-

1. VPN the connection, (which is what I do at work)
2. IPSec the connection, (which is what I am working on at home right now).

[HTRegz]

Originally posted here by Tiger Shark
The best two recommendations I have seen - which are good sense anyway - are:-

1. VPN the connection, (which is what I do at work)
2. IPSec the connection, (which is what I am working on at home right now).

Hey Hey,

I highly agree with the VPN and that's normally how I run... The problem is that when I'm at the college (where I spend 75% of my time) I can't establish a VPN connection to my home... This leaves me with directly connecting to RDP as my only option... Which is why I'm hopeful that we'll see a patch for this in the near future.

Peace,
HT

[Dr Toker]

I guess...but really the only threat is a Denial of Service. I personally am not too worried with my home box getting DOS'd. But even if I was, I'm certain that these packets could be blocked at firewall, or router level.

I'm not really about sacrificing the LITTLE speed rdp has, by tunnling through a whole bunch of crap.

[Tiger Shark]

I guess...but really the only threat is a Denial of Service.

Er... The only _currently known_ threat is DoS.... What happens if someone is carefully crafting an overflow? Better to seal the gates now than allow "complacency" to sink the ship don't you think?

[zencoder]

Originally posted here by HTRegz
Hey Hey,

I highly agree with the VPN and that's normally how I run... The problem is that when I'm at the college (where I spend 75% of my time) I can't establish a VPN connection to my home... This leaves me with directly connecting to RDP as my only option... Which is why I'm hopeful that we'll see a patch for this in the near future.

Peace,
HT

HT your best bet, short of stopping the RDP service(s), is to:

#1 - use an alternate port and port map it through your firewall/router
(if you reply that you don't use a firewall/router, I'll kick you )

#2 - ACL. that is, limit the IP's that can connect to said port(s) at your firewall router
(same as previous sub-comment)

Changing the port doesn't really protect you per se, but it will stop the inevitable Worms/Virii/Crapware that will propigate, which will flood this port(s) with packets from zombies. This is really a practice of security through obscurity, but it will allow you to continue to use RDP with a decreased exposure to this threat.

Using an ACL will slow down any potential active threat who may be probing or scanning you system/network. If done properly, they may still find the port is open, but they won't necessarily know what it is. This won't stop them from flooding it with everything from a christmas tree to the RDP malformed packet, but in doing so they would be less stealthy and easier to detect.