Internet Accessible Remote Desktop Protocol (RDP)

Description

The Remote Desktop Protocol (RDP) was created by Citrix Systems, Inc. in 1995 and subsequently sold as part of an enhanced version of Windows NT 3.51 called WinFrame. In 1998, the Microsoft Corporation included RDP with its Windows NT 4.0 Terminal Server Edition, and the protocol has been included in all versions of its Windows Server operating systems since.

RDP is a proprietary network protocol that allows an individual to control the resources and data of a computer over a Local Area Network (LAN) or the Internet.

RDP listens on port 3389/TCP and 3389/UDP.

Problem

Since 1998, the Microsoft Corporation have released twenty (20) security updates and have disclosed twenty four (24) Common Vulnerabilities and Exposures (CVEs),  specifically related to RDP.

The Microsoft Remote Desktop Protocol (RDP) is an extremely useful tool when used by authorised personnel, the ability to view and control a remote desktop session, sharing the input and display graphics between two remote desktop sessions allows IT Technical support personnel, to diagnose and resolve problems remotely,  however when abused by unauthorised parties, it can have severe consequences.

The use of remote administration tools, such as RDP, as an attack vector has been on the rise since the mid-late 2016, with an increase in the selling and purchase of login credentials on the dark web by threat actors and cybercriminals.   The value of credentials is determined by the location of the compromised computer,  software utilised in the session, and any additional attributes that increase the usability of the stolen resources.

In July 2017, the Cybersecurity company, Rapid7, which is based in Boston,  Massachusetts, in the United States, published a list, from their Project Sonar study, of the top twenty countries, in descending order, in accordance,  to the number of reported Exposed RDP Enpoints, of each of the respective countries.   Ireland, was listed in the unenviable position of twentieth, with a reported total of 43,307 Exposed RDP Enpoints.  

Compromise can occur in a number of ways, these include:

No. Name Description
1. Brute forcing credentials with automated tools A brute force attack involves 'guessing' the username and passwords to gain unauthorised access to a system.  Brute force is a simple attack method that can have a high rate of success.  Malicious actors can also use applications and scripts as brute force tools.  These applications attempt to discover a password by systematically trying every possible combination of letters, numbers, and symbols in order to find the correct combination to bypass the authentication processes.
2. Use of stolen credentials. Credential based attacks occur when Malicious attackers steal credentials to gain access, bypass an organisations security measures.  Credential theft is usually a targeted effort.  Malicious actors scour social media sites such as LinkedIn, searching for specific users whose credentials will grant them access to critical data and information.  The phishing emails and websites utilised in corporate credential theft are much more sophisticated than those used for consumer credential theft.
3. Exploitation of known RDP vulnerabilities. Since the Microsoft Corporation first included RDP with Windows NT 4.0 Terminal Server Edition in 1998, They have released twenty (20) security updates and disclosed twenty four (24) separate Common Vulnerabilities and Exposures (CVEs) specifically related to RDP.  If an organisation fails to installed the security updates or apply the relevant software patches released by the Microsoft Corporation in response to the disclosed CVEs., related to RDP., the vulnerabilities may be exploited by a malicious actor.

An unauthorised user with remote access could do untold damage including but not limited to:

  • Reconnaissance
  • Disabling security software
  • Download and install unwanted tools and applications
  • Lateral movement within a network
  • Credential harvesting
  • Data exfiltration
  • Data destruction
  • Data encryption (Ransomware)

Use of easy-to-guess passwords with no additional layers of authentication or protection makes it easier for a malicious actor to compromise a system.

In addition, a malicious actor, on successfully gaining access to a network,  can maintain access for sustained periods without detection with the aid of software and log manipulation.

Consequently RDP has become a popular attack vector, especially among cybercriminals that specialise in ransomware attacks.  These cybercriminals typically brute-force their way into a poorly secured network, elevate their rights to admin level, disable or uninstall security solutions, exfiltrate data, encrypt files on the harddrive of the individual computers, and then attempt to extort payment from the victim, with a promise, that they will provide the means by which to decrypt the files that have been encrypted by their ransomware on the individual computers, and that they will return the data they have exfiltrated.

Cipher Suites & CredSSP User authentication - RDP

The RDP protocol, when invoked, will open a dedicated network channel via TCP/IP port 3389/TCP between the connected computers for the transfer of all data, including mouse movements, keystrokes, desktop graphical display, together with all other necessary data.  The alternate port 3389/UDP may be used in the event of the default configuration being changed.  RDP supports various mechanisms to reduce the amount of data transmitted over this dedicated network connection.  Mechanisms that include data compression, persistent caching of bitmaps, and caching of glyphs and fragments in RAM.  All data transmitted over this connection is encrypted by RDP.

Cipher Suites & CredSSP User authentication - RDP

No. Name Description
1. RC4 The RC4 Cipher Suite, from Rivest-Shamir-Adleman (RSA) is the default Cipher Suite used by RDP to encrypt all data transmitted to and from the local and remote desktop during a remote desktop session.  The RC4 Cipher Suite is a stream cipher designed to efficiently encrypt small amounts of data.  System administrators can choose between a 56-bit key or a 128-bit length key, with which to encrypt the data.  Clients that do not support this encryption level cannot connect to the RDP Session Host Servers.  There existed a vulnerability in the method used to encrypt sessions in earlier versions of RDP, this vulnerability could allow unauthorised access to the session through the use of a man-in-the-middle-attack (MITM).
2. SSL/TLS The Secure Sockets Layer (SSL) Version 1.0., was developed in 1994 by the Netscape Communications Corporation to facilitate secure communications over the Internet.  The SSL protocol was designed to run over TCP/IP and below higher-level protocols such as HTTP, FTP, SMTP and IMAP.   It used TCP/IP on behalf of the higher-level protocols, and in the process, allowed an SSL-enabled server to authenticate itself to an SSL-enabled client, and for the SSL-enabled client to authenticate itself to the SSL-enabled server, enabling both machines to establish an encrypted connection.   In 1999, SSL was superseded by the Transport Layer Security (TLS) after the Internet Engineering Task Force (IETF) officially took over and began to standardised the SSL protocol.  'SSL' was renamed to 'TLS'.  TLS is a more secure and efficient protocol supporting newer and more secure algorithms as it seeks to provide authentication, privacy and data integrity between two (2) communicating computer applications.  TLS uses a combination of symmetric and asymmetric cryptography.  Symmetric cryptography, uses a secret key, between 128 bits and 256 bits in length, known to both sender and recipient, to encrypt and decrypt the data. Asymmetric cryptography uses key pairs – a public key,  and a private key.  The public key is mathematically related to the private key, but given sufficient key length, it is computationally impractical to derive the private key from the public key. This allows the public key of the recipient to be used by the sender to encrypt the data they wish to send to them, but that data can only be decrypted with the private key of the recipient.
3. CredSSP The Credential Security Support Provider protocol (CredSSP) is the amalgamation of TLS with Kerberos and NT LAN Manager (NTLM).  Besides enabling authentication of the remote computer's identity,  the CredSSP Protocol also facilitates user authentication and the transfer of user credentials from client to server, hence enabling single-sign-on scenarios.  When the CredSSP Protocol begins execution,  the TLS handshake will always be executed.  Once a TLS channel has been successfully established,  Kerberos or NTLM will be used within the TLS channel to authenticate the user.  Once Kerberos or NTLM has completed successfully, the user's credentials are sent to the server.  Traffic on the wire remains encrypted with TLS and is wrapped by TLS headers.  There is no double-encryption of traffic because the Kerberos (or NTLM) session is securely bound to the TLS session.  On the 13 March 2018, the Microsoft Corporation disclosed CVE-2018-0886 which details a vulnerability in CredSSP which would allow Remote Code Execution.  CVE-2018-0886 has a CVSS 3.x Base Score of 7.0.

Common Vulnerabilities and Exposures (CVEs) - RDP.

Constituents that utilise RDP., that have not applied the relevant software patches, in respect of the under-mentioned CVEs.,  that have been released by the Microsoft Corporation, are advised to do so.

CVE-2019-0708 - Bluekeep Vulnerability.

In May 2019, The Microsoft Corporation disclosed CVE-2019-0708, A remote code execution vulnerability that exists in Remote Desktop Services (RDS), also known as 'Bluekeep'.  This vulnerability is pre-authentication and requires no user interaction, making it particularly dangerous as it has the potential to be weaponised into a destructive exploit.  If successfully exploited, this vulnerability could execute arbitrary code with 'system' privileges.  The Microsoft Security Response Center advisory indicates this vulnerability may also be wormable, a behaviour seen in attacks including Wannacry and EsteemAudit.   Due to the seriousness of this vulnerability and its potential impact to the public, the Microsoft Corporation released an out-of-band patch update for the remote code execution vulnerability, and also took the rare step of releasing a patch for the Windows XP operating system, which it no longer supported, in a bid to protect Windows users.  CVE-2019-0708, under the Common Vulnerability Scoring System (CVSS)., has a CVSS 3.x Base Score of 9.8 and the vulnerability is regarded as Critical.

CVE-2018-0886 - CredSSP remote code execution vulnerability.

On the 13 March 2018, The Microsoft Corporation disclosed CVE-2018-0886, This was a vulnerability in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1 and RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703, and 1709 Windows Server 2016 and Windows Server, version 1709, that allows a remote code execution vulnerability due to how CredSSP validates request during the authentication process, aka "CredSSP Remote Code Execution Vulnerability".   An attacker who successfully exploits this vulnerability could relay user credentials to execute code on the target system.  Any application that depends on CredSSP for authentication may be vulnerable to this type of attack.  CVE-2018-0886, under the Common Vulnerability Scoring System (CVSS)., has a CVSS 3.x Base Score of 7.0 and the vulnerability is regarded as High.

Verification

To confirm an Internet accessible RDP service, a tool such as the 'Nmap' open source network scanner utility program can be utilised.

Nmap is used to discover hosts and services on a computer network by sending packets and analysing the responses.

Insert the IP address of the host you wish to check for an Internet accessible RDP service when invoking the 'Nmap' open source network scanner utility program.

$ nmap -Pn -sV -p T:3389 xxx.xxx.xxx.xxx

An Internet accessible RDP service will return information similar to that shown below:

$ nmap -Pn -sV -p T:3389 xxx.xxx.xxx.xxx

Starting Nmap 7.01 ( https://nmap.org ) at 2021-03-24 16:54 GMT
Nmap scan report for www.xxxxxxxxx.ie (xxx.xxx.xxx.xxx)
Host is up.

PORT     STATE SERVICE            VERSION
3389/udp open  ssl/ms-wbt-server?

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.96 seconds

Options
-Pn :Treat all hosts as online --skip host discovery.
-sV :Probe open ports to determine service/version info.
-p  :Only scan specified ports.

Solution

As previously stated, RDP is a very useful tool but it must be configured securely to mitigate the risks outlined above.  The following steps should be considered to ensure the highest level of security possible.

  • Ideally internet-facing RDP should be disabled either on the servers themselves or/and via appropriate perimeter firewall controls i.e.  disallow external connections to local machines on port 3389/TCP and 3389/UDP or any other port.  
  • It is recommended that RDP be configured to use SSL/TLS., as it is a more secure and efficient protocol supporting newer and more secure algorithms as it seeks to provide authentication, privacy and data integrity between two (2) communicating computer applications, in preference to RDP default RC4 Cipher Suite.
  • It is recommended that all security updates and software patches released by the Microsoft Corporation,  specifically relating to RDP., be applied.
  • Mandate strong and complex passwords for all accounts that can be logged into via RDP.  
  • Use Multi Factor Authentication rather than relying on a single password.  
  • Provide RDP access to required resources via a Virtual Private Network (VPN) solution.  
  • Use the least privilege model for providing remote access - use low privilege accounts to authenticate, and provide an audited process to allow a user to escalate their privileges within the remote session where necessary.  
  • Implement an account lockout policy for consecutive failed login attempts with appropriate logging and alerting i.e. Implement a Security Information and Event Management System.  
  • Ensure your endpoint security software is correctly configured to protect against tampering or uninstallation.  
  • Ensure all accessible servers are patched and maintained at vendor supported software levels. Legacy servers which have not been or cannot be patched and updated should not be accessible from outside the network and should be segregated from the rest of the network where possible.  

Additional Information

Microsoft - Remote Desktop Protocol.
Microsoft - Security guidance for remote desktop adoption.
Microsoft - 5.4.5.2 CredSSP.
Microsoft - CredSSP updates for CVE-2018-0886.
SANS - An Update on the Microsoft Windows RDP "Bluekeep" Vulnerability (CVE-2019-0708).
Shadowserver Foundation - Accessible RDP Report.
Shadowserver Foundation - Accessible Remote Desktop Protocol Scanning Project.
Cyphere - RDP Security Risks and Encryption Explained.
Cyphere - SSL/TLS Protocols: Definition, Differences, Versions & Vulnerabilities.
ESET - Researcher Aryeh Goretsky - It's time to disconnect RDP from the Internet.
DISPEL - Forcing RDP to use TLS Encryption.
IETF - RFC6101 - The Secure Sockets Layer (SSL) Protocol Version 3.0.
IETF - RFC2246 - The TLS Protocol Version 1.0
IETF - RFC8446 - The Transport Layer Security (TLS) Protocol Version 1.3.
FBI - Cyber Actors Increasingly Exploit The Remote Desktop Protocol to Conduct Malicious Activity.
ENISA - ENISA Threat Landscape 2021.
Mitre: ATT&CK - Remote Services: Remote Desktop Protocol.
Cloudflare - What is the Remote Desktop Protocol (RDP).
RAPID7 - Remote Desktop Protocol (RDP) Exposure.