CyberArk researchers discovered a Windows Remote Desktop Protocol (RDP) vuln tracked as CVE-2022-21893. Simply put, they point out that “This vulnerability enables any standard unprivileged user connected to a remote machine via remote desktop to gain file system access to the client machines of other connected users, to view and modify clipboard data of other connected users, and to impersonate the identity of other users logged on to the machine using smart cards. This could lead to data privacy issues, lateral movement and privilege escalation.” They say that the current versions of Windows all have this vuln, which dates back to Windows Server 2012 R2, so the assumption is that most Windows versions, both client & server editions, are susceptible. CyberArk reported the vulnerability to Microsoft who has released a fix in the latest security update.
<p>This windows pipe service attack (TSVCPIPE) is conducting the standard attack sequence hackers take after scanning and enumerating our systems.This attack allows the hackers to become an identity on the machine that has advance privileges and thus enable the attacker to reach their objective: persistence, lateral movement, and exfiltration. The enterprise needs to have triggers on anomalous traffic, safeguards that impede lateral movement (zero trust) and detection and reviews of identities to detect privilege escalation.</p>
<p>RDP attacks have been around since the introduction of RDP. This protocol, like most old protocols running on Windows computers, was primarily designed for functionality without security in mind. Hence, it is a protocol that will require ongoing patching because of newly discovered vulnerabilities. Here it is very important to know if you have RDP exposed on the Internet because it is a highly scanned port by threat actors to exploit. </p>
<p>This is vulnerability management 101. Shodan, and other comparable search/scan engines that are readily accessible, continue to show many systems on the Internet running RDP.</p>