RDP Vulnerability -- Heads Up / Question

Printable View

July 17th, 2005, 08:20 AM
HTRegz

RDP Vulnerability -- Heads Up / Question

Hey Hey,

Has anyone seen a live exploit for the new RDP vulnerability and does anyone know how serious it is?

Info @ http://www.microsoft.com/technet/sec...ry/904797.mspx
Sans Info @ http://isc.sans.org/diary.php

I run RDP and I'm wondering if, for the mean time, I should be disabling the service.... I haven't seen any mention of it on most of my usual stomping grounds, so it leads me to believe that it's not that big yet...

It looks like it's just a blue screen if you follow this thread

https://www.immunitysec.com/pipermai...ly/002185.html

Anyways.... any word on the severity of this?

Peace,
HT
July 17th, 2005, 09:53 AM
XTC46

yea, im going to have to look into this now becasue i use RDP a lot. I also have clients that use term server religiously which would be effected also. Thanks for the heads up.
July 17th, 2005, 12:07 PM
Tiger Shark

The best two recommendations I have seen - which are good sense anyway - are:-

1. VPN the connection, (which is what I do at work)
2. IPSec the connection, (which is what I am working on at home right now).
July 17th, 2005, 04:22 PM
HTRegz

Quote:

Originally posted here by Tiger Shark
The best two recommendations I have seen - which are good sense anyway - are:-

1. VPN the connection, (which is what I do at work)
2. IPSec the connection, (which is what I am working on at home right now).

Hey Hey,

I highly agree with the VPN and that's normally how I run... The problem is that when I'm at the college (where I spend 75% of my time) I can't establish a VPN connection to my home... This leaves me with directly connecting to RDP as my only option... Which is why I'm hopeful that we'll see a patch for this in the near future.

Peace,
HT
July 18th, 2005, 10:42 PM
Dr Toker

I guess...but really the only threat is a Denial of Service. I personally am not too worried with my home box getting DOS'd. But even if I was, I'm certain that these packets could be blocked at firewall, or router level.

I'm not really about sacrificing the LITTLE speed rdp has, by tunnling through a whole bunch of crap.
July 18th, 2005, 11:11 PM
Tiger Shark

Quote:

I guess...but really the only threat is a Denial of Service.

Er... The only _currently known_ threat is DoS.... What happens if someone is carefully crafting an overflow? Better to seal the gates now than allow "complacency" to sink the ship don't you think?
July 19th, 2005, 04:27 PM
zencoder

Quote:

Originally posted here by HTRegz
Hey Hey,

I highly agree with the VPN and that's normally how I run... The problem is that when I'm at the college (where I spend 75% of my time) I can't establish a VPN connection to my home... This leaves me with directly connecting to RDP as my only option... Which is why I'm hopeful that we'll see a patch for this in the near future.

Peace,
HT

HT your best bet, short of stopping the RDP service(s), is to:

#1 - use an alternate port and port map it through your firewall/router
(if you reply that you don't use a firewall/router, I'll kick you :))

#2 - ACL. that is, limit the IP's that can connect to said port(s) at your firewall router
(same as previous sub-comment)

Changing the port doesn't really protect you per se, but it will stop the inevitable Worms/Virii/Crapware that will propigate, which will flood this port(s) with packets from zombies. This is really a practice of security through obscurity, but it will allow you to continue to use RDP with a decreased exposure to this threat.

Using an ACL will slow down any potential active threat who may be probing or scanning you system/network. If done properly, they may still find the port is open, but they won't necessarily know what it is. This won't stop them from flooding it with everything from a christmas tree to the RDP malformed packet, but in doing so they would be less stealthy and easier to detect.