22 C
Monday, June 24, 2024

You Need to Patch Windows Remote Desktop Vulnerability Now

Patch Windows Remote Desktop Vulnerability

CyberArk researched discovered a Windows Remote Desktop (RDP) vulnerability tracked as CVE-2022-21893, which you need to patch now!

Vulnerability Description

This vulnerability enables any standard unprivileged user connected to a remote machine via remote desktop to gain file system access to the client machines of other connected users, to view and modify clipboard data of other connected users, and to impersonate the identity of other users logged on to the machine using smart cards.

- Advertisement -

This could lead to data privacy issues, lateral movement and privilege escalation.

Affected Operating Systems

According to CyberArk’s researchers: “The latest versions of Windows (client and server editions) are affected by this vulnerability, and it goes back at least to Windows Server 2012 R2, so we can say that the majority of Windows versions in use today are affected.”

Basic Attack Description

  • An attacker connects to a remote machine via RDP
  • The attacker lists the open named pipes and finds the full name of the TSVCPIPE pipe
  • The attacker creates a pipe server instance with the same name and waits for a new connection
  • Once a new connection arrives, RDS creates its own pipe server instance for the session and a pipe client that will attempt to connect to it
  • Because of the FIFO, the pipe client will connect to the attacker pipe server instance instead of the one created by the RDS service
  • The attacker connects as a client to the real RDS pipe server instance
  • The attacker holds both ends of the connection, they can act as man-in-the-middle, passing the data back and forth, viewing and (optionally) modifying it

CyberArk has created a tool that performs these steps to create a man-in-the-middle that prints the data passing through the pipes for demonstration purposes.

Further Attacks

The security researchers targeted the device redirection channel (RDPDR) which is used for redirecting devices such as drives and smart cards from the client machine to the remote session. This makes possible for attackers to access other user’s redirected drives and smart-card information.

Patch Has Been Released

CyberArk followed a responsible disclosure to Microsoft about this vulnerability and a patch has been released.


Also Read