Alert: Microsoft Security Bulletin - MS02-051

From: Russ (Russ.Cooper@RC.ON.CA)
Date: 09/19/02 

Date:         Thu, 19 Sep 2002 12:08:15 -0400
From: Russ <Russ.Cooper@RC.ON.CA>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

http://www.microsoft.com/technet/security/bulletin/MS02-051.asp

Cryptographic Flaw in RDP Protocol can Lead to Information Disclosure (Q324380)

Originally posted: September 18, 2002

Summary

Who should read this bulletin: System administrators who operate terminal servers using Microsoft® Windows® 2000, or Windows XP users who have enabled Remote Desktop.

Impact of vulnerability: Two vulnerabilities: information disclosure, denial of service.

Maximum Severity Rating: Moderate.

Recommendation: Administrators of Windows 2000 terminal servers and Windows XP users who have enabled Remote Desktop should apply the patch.

Affected Software:
- Microsoft Windows 2000
- Microsoft Windows XP

Technical description:

The Remote Data Protocol (RDP) provides the means by which Windows systems can provide remote terminal sessions to clients. The protocol transmits information regarding a terminal sessions' keyboard, mouse and video to the remote client, and is used by Terminal Services in Windows NT 4.0 and Windows 2000, and by Remote Desktop in Windows XP. Two security vulnerabilities, both of which are eliminated by this patch, have been discovered in various RDP implementations.

The first involves how session encryption is implemented in certain versions of RDP. All RDP implementations allow the data in an RDP session to be encrypted. However, in the versions in Windows 2000 and Windows XP, the checksums of the plaintext session data are sent without being encrypted themselves. An attacker who was able to eavesdrop on and record an RDP session could conduct a straightforward cryptanalytic attack against the checksums and recover the session traffic.

The second involves how the RDP implementation in Windows XP handles data packets that are malformed in a particular way. Upon receiving such packets, the Remote Desktop service would fail, and with it would fail the operating system. It would not be necessary for an attacker to authenticate to an affected system in order to deliver packets of this type to an affected system.

Mitigating factors:
Cryptographic Flaw in RDP Protocol:
- An attacker would need the ability to capture an RDP session in order to exploit this vulnerability. In most cases, this would require that the attacker have physical access to the network media.
- Because encryption keys are negotiated on a per-session basis, a successful attack would allow an attacker to decrypt only a single session and not multiple sessions. Thus, the attacker would need to conduct a separate cryptanalytic attack against each session he or she wished to compromise.Denial of Service in Remote Desktop:
- Remote Desktop service in Windows XP is not enabled by default.
- Even if Remote Desktop service were enabled, a successful attack would require that the attacker be able to deliver packets to the Remote Desktop port on an affected system. Customers who block port 3389 at the firewall would be protected against attempts to exploit this vulnerability. (By default Internet Connection Firewall does block port 3389).

Vulnerability identifier:
- Weak Encryption in RDP Protocol:CVE-CAN-2002-0863
- Denial of Service in Remote Desktop:CVE-CAN-2002-0864

This email is sent to NTBugtraq automatically as a service to my subscribers. Since its programmatically created, and since its been a long time since anyone paid actual money for my programming skills, it may or may not look that good...;-]

I can only hope that the information it does contain can be read well enough to serve its purpose.

Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

Relevant Pages