tagline: Confidence in the Connected World
CIS Logo
HomeResourcesAdvisoriesVulnerability in Microsoft Remote Desktop Protocol Could Allow for Remote Code Execution (MS15-067)

Vulnerability in Microsoft Remote Desktop Protocol Could Allow for Remote Code Execution (MS15-067)

MS-ISAC ADVISORY NUMBER:

2015-079

DATE(S) ISSUED:

07/13/2015

OVERVIEW:

A vulnerability in Remote Desktop Protocol (RDP) could allow attackers to take complete control of affected systems or cause a Denial-of-Service. The Remote Desktop Protocol provides a graphical interface for users to establish a virtual session to other computers. Successfully exploiting this vulnerability could then allow the attacker to install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploit attempts may result in Denial of Service conditions on targeted systems.

THREAT INTELLIGENCE:

There are currently no reports of these vulnerabilities being exploited in the wild.

It should be noted that the MS-ISAC has historically identified a large amount of scanning for RDP service as well as brute force attempts against systems running this service.

SYSTEMS AFFECTED:

  • Windows 7
  • Windows 8
  • Windows Server 2012

RISK:

Goverment:
  • Large and medium government entities: HIGH
  • Small government entities: HIGH
Businesses:
  • Large and medium business entities: HIGH
  • Small business entities: HIGH
Home Users:
LOW

TECHNICAL SUMMARY:

A vulnerability has been identified in the RDP that could allow attackers to either take complete control of affected systems or cause a Denial of Service event. By default, RDP is not enabled on any Windows Operating systems. This vulnerability is caused by the way RDP processes a sequence of specially crafted packets.

A remote unauthenticated attacker could only exploit this vulnerability if the RDP server service is enabled. The exploitation of this issue could lead to the execution of arbitrary code on the target system which could then allow the attacker to install programs; view, change, or delete data; or create new accounts with full user rights.

RECOMENDATIONS:

We recommend the following actions be taken:

Apply appropriate patches provided by Microsoft to vulnerable systems immediately after appropriate testing.
Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
Block TCP port 3389 at the perimeter firewall if there is no documented business need.

REFERENCES:

Get Email Updates When Cyber Threats Like This Arise

Arrow Subscribe to Advisories