On 13th March 2012, Microsoft released a security patch for the critical MS12-020 vulnerability relating to the remote desktop protocol (RDP). RDP allows users/administrators to remotely access their Windows servers or desktop over the network, and it is quite common to see organisations opening connections to this protocol on their firewall. The identified vulnerability allowed attackers to execute arbitrary commands on systems running vulnerable RDP services over the network which could lead to denial of service attacks, or worse, could lead to loss of sensitive data stored on the system. This issue affects almost all Microsoft operating systems
The vulnerability (CVE MS12-020) was discovered by an Italian researcher in May 2011 and it has taken Microsoft nearly a year to release the patch. While the security researchers are still working to put together an exploit to demonstrate this vulnerability, there are rumours that a working exploit is already known in the wild but not publicly accessible. This is the sort of the vulnerability which is typically used by a worm to propagate from one system to another and researchers believe that we may soon be seeing a worm exploiting this issue.
In order to protect themselves from the MS12-020 critical security vulnerability, organisations are advised to apply the Microsoft patch and take further action to ensure both the immediate and longer term security of their IT infrastructure.
Based on the advice from Microsoft and our own IT and network security expertise, we recommend that organisations:
install security patches from Microsoft as soon as possible – go to: http://technet.microsoft.com/en-us/security/bulletin/ms12-020
block all traffic to RDP port (3389 by default) for systems that cannot be patched
restrict RDP access authorised personnel only, and to do so via IP address
conduct a network penetration test to ascertain whether your infrastructure is secured from any external /internal attackers.
Our team of security experts stays abreast of all the latest vulnerability disclosures and exploits released on a day-to-day basis. After testing the exploits, these are incorporated into our proven penetration testing capability.
To find out more about securing your IT infrastructure and conducting penetration tests, please contact us now.
1. Microsoft Security TechCenter - http://technet.microsoft.com/en-us/security/bulletin/ms12-020
2. Microsoft’s response - http://blogs.technet.com/b/msrc/archive/2012/03/16/proof-of-concept-code-available-for-ms12-020.aspx
3. Zero Day Initiative - http://www.zerodayinitiative.com/advisories/ZDI-12-044/
4. CVE - http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0002
5. Luigi Auriemma’s Blog - http://aluigi.org/adv/ms12-020_leak.txt and http://aluigi.org/adv/termdd_1-adv.txt
6. Remote Desktop Protocol - http://en.wikipedia.org/wiki/Remote_Desktop_Protocol