This week has been an interesting one for followers of the info-sec arena. On Tuesday Microsoft released a patch and security bulletin for MS12-020 for a critical flaw in remote desktop protocol, allowing for remote code execution without the need to authenticate to the target system first. Since the patch was released the good, the bad and the ugly of infosec have been attempting to reverse engineer the patch to develop a functional exploit; and over the last 24hrs PoC code has started to become publicly available.
As a result, the SANS Internet Storm Centre has raised their InfoCon threat level to Yellow. This is because weaponised versions of functional exploit code are expected over the coming days and weeks, with past experience making it likely that the exploit will be linked to worm capabilities for automated propagation.
So, the sky is falling right? Not as much as the furore would have you believe. Despite this does have the potential to become a well known, well exploited and long running bug; it is defensible with solid practices in play.
- Turn it off: If you don’t need RDP (or any port/service for that matter), turn it off. Reduces the attack vector against known or unknown weaknesses in the service
- Patch it: Microsoft released a patch of the weakness on Tuesday BEFORE exploit code was widely publicly available. You should be patching systems as standard operations; if you’re not, no would be a good time to catch up and remove the oversight.
- Limit access: If you can’t turn the service off because you need it, does it need to be available to world? If not restrict access to trusted source locations only via either perimeter or host based firewalling (or both). It doesn’t remove the threat completely, but it should severely reduce the risk if you’re not accepting connections from any machine on the internet. Only allowing access to the port via a VPN connection would also reduce the ability of a malicious source to connect to the service.
- (Bonus Point) Logging: Make sure you keep a close eye on your system logs; if you do get compromised, the damage could be limited if you can identify and respond to the breach promptly.
I’ve enjoyed watching the action this week, and the potential fallout has the potential to be more interesting still; but you should be able to prevent your systems from become part of a large statistic of low-hanging fruit with a few easy or common steps to securing your environment against the threat.
–Andrew Waite