Advisory:
RDP Vulnerability - Critical &
Urgent
March 15, 2012
FAQ & Tech Tips added
Mar 21 see bottom of page This is a particularly critical and urgent
IT security event. While there has always been numerous similar ones
with high severity, this is directly applicable to your site.
What is it?
- On March 13, 2012, Microsoft issued
Security Bulletin MS12-020
see
also
cached page
- A flaw has been discovered in Remote Desktop Services and was
cooperatively disclosed to
MAPP.
- There are currently no known in-the-wild attacks, but are
expected within 30 days.
- In short, it potentially allows external parties to achieve
code
execution on the host, without RDP authentication, provided all prerequisites are met.
- Affected platforms:
- XP, Vista, Windows 7, Server 2003, Server 2003 R2, Server
2008, Server 2008 R2, SBS 2003/2008/2011 (both x86 & x64 in
all cases)
- All Service Pack levels are affected. Of course, no patches are
available for EOL SPs, thus forcing upgrade decisions on legacy
installations: XP SP2, Vista SP1, 2003 SP1, 2008 SP1.
- The issues are within host-side. RDP clients & gateways are not at risk.
Bravo Tiered Response (per SLA):
- next-day emergency response (already completed last night):
dedicated servers (domain/workgroup), for sites within our
IT jurisdiction, with standing authorization and unfettered access.
- guaranteed 5-day priority scheduling: for tier-1 site
workstations, private notices
already sent, appointments scheduled
- best-effort scheduling within 10 days: tier 2 sites
- recommended 30-day window for tier-3 sites to
address this issue
- upon request on time/resource-permitting basis, subject to
schedule bump
Implementation Items:
- install critical patch for the exact platform
(KB2621440, KB2667402)
- implement & activate Network Location Authentication (NLA)
- native built-in feature of Vista/Windows 7 (host + client)
- require enabling via UI, registry, or group policy
- it is now acceptable & necessary to demand NLA for inbound
RDP
- naturally, this triggers corresponding upgrade of inbound
XP RDP clients
- upgrade XP RDP clients to version 6.1
- activate Credential Security Support Provider in XP SP3 via
policy/reg
- XP RDP host does not support NLA
- move to non-standard WAN-side NAT port forward (hiding)
- as a strategic last-resort: disable RDP on selected stations in
the interim
-
post-deployment network scanning & patch status verification
- exception handling & strategic decisions for complex legacy installations
In Summary
- high severity of consequences upon successful breach
- high probability of occurrence (virtual certainty)
- urgency: exploit code in-the-wild expected within
days to weeks
- exact applicability: infrastructural scenario &
conditions at your site
- highly effective & comprehensive suite of remedy strategies
formulated &
apparatuses in-place, ready to deploy
|
Bravo Security Response
Sequence:
Monitor * Research * Assess * Mobilize * Deploy * Post * Notify
SEE ALSO:
|