Vulnerability in RDP Could Allow Remote Code Execution (MS15-082)

ITS Advisory Number: 
2015-096
Date(s) Issued: 
Tuesday, August 11, 2015
Subject: 
Vulnerability in RDP Could Allow Remote Code Execution (MS15-082)
Overview: 

A vulnerability has been discovered in Microsoft's Remote Desktop Protocol that could allow an attacker to remotely take control of the affected system. Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft, which provides a user with a graphical interface to connect to another computer over a network connection. The user employs RDP client software for this purpose, while the other computer must run RDP server software. The vulnerability occurs when an attacker sends a specially crafted sequence of packets to the RDP server service.

Successful exploitation could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Systems Affected: 
  • Microsoft Windows Vista
  • Microsoft Windows 7
  • Microsoft Windows 8
  • Microsoft Windows 8.1
  • Microsoft Windows RT
  • Microsoft Windows RT 8.1
  • Microsoft Windows Server 2008
  • Microsoft Windows Server 2008 R2
  • Microsoft Windows Server 2012
  • Microsoft Windows Server 2012 R2
  • Microsoft Windows Server 2008 (Server Core Installation)
  • Microsoft Windows Server 2008 R2 (Server Core Installation)
  • Microsoft Windows Server 2012 (Server Core Installation)
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
High
Description: 

A vulnerability has been discovered in Microsoft's Remote Desktop Protocol that could allow an attacker to remotely take control of the affected system. In order to exploit this vulnerability, an attacker would first have to place a specially crafted DLL file in the target user's current working directory and then convince the user to open a specially crafted RDP file.  In a web-based attack scenario an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted RDP file that is designed to exploit the vulnerability. An attacker would have no way to force the user to visit the website. Instead, an attacker would have to convince the user to click a link, typically by way of an enticement in an email or Instant Messenger message.  The update addresses the vulnerability by correcting how the Windows RDP client loads certain binaries.

Successful exploitation could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Actions: 
  • After appropriate testing, apply patch from Microsoft.
  • Consider disabling the Remote Desktop Server service until the server can be patched.
  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
  • Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments, especially those from un-trusted sources.