Topic: Microsoft warns: Administrators - Immediately apply critical MS12-020 update !!!

[Samker]

Attention Microsoft Windows administrators: Stop what you’re doing and apply the new — and very critical — MS12-020 update: http://technet.microsoft.com/en-us/security/bulletin/ms12-020

Microsoft is warning that there’s a remote, pre-authentication, network-accessible code execution vulnerability in its implementation of the RDP protocol.

From the bulletin:

"A remote code execution vulnerability exists in the way that the Remote Desktop Protocol accesses an object in memory that has been improperly initialized or has been deleted. An attacker who successfully exploited this vulnerability could run abitrary code on the target system. An attacker could then install programs; view,change, or delete data; or create new accounts with full user rights."

The vulnerability, which affects all versions of Windows, was privately reported to Microsoft’s via the ZDI vulnerability broker service and the company said it was not yet aware of any attacks in the wild.

Although RDP is disabled by default, Microsoft is urging all Window users to treat this issue with the utmost priority.

“Due to the attractiveness of this vulnerability to attackers, we anticipate that an exploit for code execution will be developed in the next 30 days,” Microsoft said: http://blogs.technet.com/b/srd/archive/2012/03/13/cve-2012-0002-a-closer-look-at-ms12-020-s-critical-issue.aspx

It’s important to note that the vulnerable code is reachable only if RDP is enabled and a mitigation feature in RDP called NLA (network level authentication) moves it to post-authentication which makes this vulnerability less likely to be wormed.  There are instructions here to enable NLA on Windows to reduce the severity of a potential attack: http://blogs.technet.com/b/srd/archive/2012/03/13/cve-2012-0002-a-closer-look-at-ms12-020-s-critical-issue.aspx

The Remote Assistance feature in Windows (see image above) provides checkboxes for users to choose between “more secure” and “less secure”.   On machines where RDP is enabled in the “less secure” mode, nothing blocks pre-auth code execution once a stable exploit is developed.

This issue is potentially reachable over the network by an attacker before authentication is required.
RDP is commonly allowed through firewalls due to its utility. The service runs in kernel-mode as SYSTEM by default on nearly all platforms (except for one exception described below). During our investigation, we determined that this vulnerability is directly exploitable for code execution. Developing a working exploit will not be trivial – we would be surprised to see one developed in the next few days. However, we expect to see working exploit code developed within the next 30 days.

In all, Microsoft shipped six security bulletins as part of this month’s Patch Tuesday batch. The updates address seven documented vulnerabilities in Microsoft Windows, Visual Studio and Expression Design.

(ZD)

[Pez]

Some more info!

RDP+RCE=Bad News (MS12-020)

The March Security Bulletin release from Microsoft was relatively light in volume. Out of the six bulletins released, only one was rated as Critical.

And for good reason. MS12-020 includes CVE-2012-0002. This flaw is specific to the Remote Desktop Protocol (RDP) present on most current versions of Microsoft Windows. The RDP service, by default, listens on TCP port 3389. And because it’s so darn convenient, lots of people like to open their firewalls/ingress points to the traffic.

This is a bad/dangerous/insecure thing. (Choose your own favorite term.) I hope this issue (and many others before it) will influence anyone’s decision-making process when it comes to network hardening, external access, etc.

This is certainly not the first flaw in RDP. It is quite significant in that it does not require authentication to exploit the flaw–just a firing of some specially crafted packets. From that point the world (or the world that the compromised host lives in) is the attacker’s oyster. This is especially bad because the RDP service runs in kernel mode, under the System account (in most cases).

Keep in mind that it is very easy and takes little time to find targets. You see this type of situation all too often:


It's Open!

This situation very quick leads to an intruder’s trying to login via brute force, or trying something new (like the flaw described in MS12-020) !


It Actually Works!!!!!

So, what can you do to protect your environment?

McAfee, Microsoft, and others firmly recommend that you prioritize the deployment of the MS12-020 update.

Other steps:

•RDP is typically disabled by default. If there is any doubt, investigate and confirm in your environment whether and where it running.
•In Windows Vista or later, enable Network Level Authentication (NLM)
•Even if you have NLM enabled, the flaw can be exploited if the attacker can gain authentication. This means you should verify strong (nondefault, sufficiently complex) user/password combinations.

Resources

•CVE-2012-0002: A closer look at MS12-020′s critical issue
•Microsoft Security Bulletin MS12-020
•McAfee Vulnerability Manager

Orginal article: Wednesday, March 14, 2012 at 3:18pm by Jim Walter

[mrjamez]

THANKS FOR THE INFO!