Remote Desktop Protocol (RDP) Vulnerability

What is RDP

Remote Desktop Protocol (RDP) is a protocol developed by Microsoft, providing the user access to remotely connect with another computer. Microsoft’s remote desktop protocol is one of the best currently available in the market, working efficiently with an effortless graphical user interface (GUI). It can be used between multiple Windows Operating Systems and Devices.
This article discussed RDP protocol security and current RDP vulnerabilities.

How does RDP work

Remote Desktop Protocol (RDP) allows a user to control a computer remotely over the internet or a network as if sitting in front of it. When connecting to another computer via RDP, the users keyboard, mouse, and display are sent from the local device to the remote machine, and can interact with it in real time, running programs, accessing files, and performing tasks as if they were on their own computer.

RDP works by creating a secure connection between the user’s device (the client) and the remote device (the server). The server sends visual information to the user’s screen, while input (like clicks or keyboard commands) is sent back to the server. This is useful for IT support, remote work, or managing servers from different locations. However, if not properly secured, it can be vulnerable to attacks such as brute force or credential stuffing attacks which could potentially expose sensitive information. This is why strong passwords, multi-factor authentication, and encryption are important.

RDP vulnerabilities

RDP is widely used for remote access, and in recent years its popularity with remote work, has made it a frequent target for cyberattacks. Vulnerabilities like BlueKeep and others have been exploited to gain unauthorized access, potentially compromising sensitive data. Understanding these risks is crucial for securing RDP sessions and preventing attacks. Below, we examine common RDP vulnerabilities and key mitigation strategies.

Windows Remote Desktop Protocol Security Feature Bypass

Released: Jul 11, 2023 Windows RDP Security Feature Bypass (CVE-2023-35332) The core of the issue lies in the utilization of an obsolete and deprecated protocol, Datagram Transport Layer Security (DTLS) version 1.0, posing substantial security and compliance risks to organizations. If an attacker can achieve a machine-in-the-middle (MitM) position and successfully exploit this weakness, they could compromise the confidentiality and integrity of data transmitted when the targeted user connects to a trusted server.

Employing outdated and deprecated security protocols, like DTLS 1.0, can result in unintentional non-compliance with crucial industry standards and regulations such as FEDRAMP, PCI DSS, HIPAA, and more. Numerous organizations may unknowingly find themselves in violation of their compliance obligations due to this concern.

Windows Remote Desktop Security Feature Bypass

Released: Jul 11, 2023 Windows RDP Security Feature Bypass Vulnerability (CVE-2023-32043). If a malicious actor manages to establish a machine-in-the-middle (MitM) position and exploit this vulnerability, they could circumvent the certificate validation process that occurs when a targeted user connects to a trusted server.

Windows Remote Desktop Security Feature Bypass Vulnerability

Released: Jul 11, 2023 Windows RDP Security Feature Bypass Vulnerability (CVE-2023-35352). In the event of a successful exploitation of this vulnerability, an attacker could evade certificate or private key authentication while establishing a remote desktop protocol session.

BlueKeep (Remote Code Execution Vulnerability):

BlueKeep is one of the most drastic vulnerabilities in RDP (Microsoft Vulnerability Protocol Code: CVE-2019-0708). This vulnerability allows the attackers to execute any code they want if they hit the right port, which is most probably port: 3389. BlueKeep is also wormable (it is viable to spread to all the computers within the same network), without any actions performed by the user.

CVE-2022-21893 discovered in January 2022 this vulnerability enables any standard unprivileged user to connect to a malicious RDP server via remote desktop to gain file system access to the client machines of other connected users. Upon connecting, the malicious server could read or tamper with clipboard contents and the victim’s filesystem contents. This could lead to data privacy issues, lateral movement and privilege escalation.

Client Remote Code Execution Vulnerability

Released: Jan 9, 2024 Microsoft RDP vulnerability (CVE-2024-21307) is a high-severity Remote Code Execution vulnerability in Microsoft’s Remote Desktop Client, allowing attackers to execute arbitrary code remotely if a user interacts with a malicious specially crafted request.

Brute Force Attack

Typically, users use weak passwords for their systems but this is not the problem. The real problem is that they use similar credentials for RDP login. This leaves such users or the organizations these users are a part of at risk. So, these weak user sign-in credentials leave the RDP connections open to brute force attacks.

RDP Mitigation Tips

Mitigating RDP vulnerabilities involves implementing a combination of best practices and security measures to enhance the overall security of the Remote Desktop Protocol. Here are some essential steps to mitigate RDP vulnerabilities:

Implement role-based access control (RBAC) restrictions. Workers should only access the resources necessary to get their jobs done
Enable network-level authentication (NLA) for RDP at all times
Restrict access to the RDP port
Monitor RDP utilization
Enable automatic Microsoft updates
Implement account lockout policies
Make strong passwords and multi-factor authentication (MFA) mandatory

Single sign-on (SSO):

SSO gives companies an edge to enforce strong passwords for their employees. This also allows them to use two-factor authentication for their user logins. By backing up behind SSO weak user sign-in credentials vulnerability can be mitigated and the network can be prevented from brute force attacks.

How to Mitigate RDP vulnerabilities

By enabling Network Level Authentication, the user’s computer will first authenticate the requester before establishing a connection. Below are the steps to configure the GPO for NLA authentication for RDP:

1.Select from Administrative Tools the Group Policy Management tool:

2. On the tool, create a New Group Policy Object:

3. Give this policy a Name:

4. Edit this policy by right-clicking on it and selecting Edit:

5. Select Computer Configuration/Policies/Windows Settings/Public Key Policies/Automatic Certificate Request Settings:

6. Right-click on Automatic Certificate Request Setting and select to create a new Automatic Certificate Request, this will request to the CA a new Computer Certificate and renew the certificate when it expires automatically.

7. When the wizard starts, click Next then select Computer Certificate Template:

8. Click on Next and then on Finish. Now, select Computer Configuration/Policies/Windows Settings/Public Key Policies under that node double click on Certificate Services Client - Auto-Enrollment and select on the properties under Configuration Model select Enabled and make sure that the boxes for managing certificates in the store and for updating the certificate if the template is modified.

Now we have finished the section that will cover the certificate assignment for computers that get this GPO applied to.

9. For configuring RDP to use NLA we now go to Computer Configuration/Policies/Administrative Templates/Windows Components/Remote Desktop Settings/Remote Desktop Session Host/Security

10. Select Require user authentication for remote connections by using Network Level Authentication and double click on it. On the properties screen select Enable and click on

RDP and Server hardening

RDP vulnerabilities have been a common target for attackers, as weaknesses in the mstsc protocol and improper RDP protocol security can expose remote desktop sessions to exploitation. To mitigate risks, securing network connections and properly configuring remote desktop services is critical, especially when public-facing IP addresses are involved. A Windows RDP vulnerability could lead to unauthorised access if attackers find ways to bypass authentication, underscoring the importance of addressing Microsoft RDP vulnerabilities with timely patches and security measures.

Hardening a system manually is time-consuming and costly. This is attributed to the more complex nature of the network and audit requirements. CalCom offers a fully automated server hardening tool - CHS that can help with RDP security. CHS's unique ability to 'learn' a network eliminates the need to perform lab testing while ensuring zero outages to production environments. CHS allows implementation of policies directly on production servers, hassle-free.

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
PHPSESSID	session	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
_GRECAPTCHA	5 months 27 days	This cookie is set by Google. In addition to certain standard Google cookies, reCAPTCHA sets a necessary cookie (_GRECAPTCHA) when executed for the purpose of providing its risk analysis.
__cfduid	1 month	The cookie is used by cdn services like CloudFare to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information.

Cookie	Duration	Description
bcookie	2 years	This cookie is set by linkedIn. The purpose of the cookie is to enable LinkedIn functionalities on the page.
lang	session	This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
lidc	1 day	This cookie is set by LinkedIn and used for routing.
__stidv	1 year	This cookie is used by ShareThis. This cookie is used for sharing the content from the website to social networks.

Cookie	Duration	Description
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.
_gat	1 minute	This cookies is installed by Google Universal Analytics to throttle the request rate to limit the colllection of data on high traffic sites.

Cookie	Duration	Description
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.
__stid	1 year	The cookie is set by ShareThis. The cookie is used for site analytics to determine the pages visited, the amount of time spent, etc.

Cookie	Duration	Description
bscookie	2 years	This cookie is a browser ID cookie set by Linked share Buttons and ad tags.
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.