Expert Advice on Attackers bypassing Microsoft RDP

On June 4, 2019, the CERT Coordination Centre (CERT/CC) Carnegie Mellon’s Computer Emergency Response Team released an advisory regarding discovered behaviour in the Microsoft Windows Remote Desktop Protocol (RDP), which can allow an attacker to bypass the lock screen on some remote sessions.

Microsoft was notified of this finding and has stated that the “behaviour does not meet the Microsoft Security Servicing Criteria for Windows,” meaning there will be no patch available at least for the time being.

It is understandable that many organisations still scrambling to ensure their systems are not vulnerable to the recent (“BlueKeep”RDP wormable vulnerability) would not be thrilled that there is yet another RDP issue they need to deal with.

Expert Comments:

Tom Sellers, Manager, Rapid7 Labs:

“According to Microsoft, the issue described in this CVE is how Network Level Authentication is supposed to work in modern versions of Windows running and accessing RDP sessions. In other words, this is a weakness but not something that requires mitigation viapatching.”

What can organisations do?

“For starters, businesses can develop a communication plan that ensures all users of RDP know to **lock their own workstations** when they are not in front of them and especially if they have an active RDP session established. Said communication plan should also include guidance to disconnect from RDP sessions instead of just locking the remote screen if a user needs to step away from a session for any significant length of time.

“It may also be possible to detect instances of mass RDP screen unlocks by performing regular internal RDP scans (including on-connect screenshot) to ensure all systems are, indeed, locked.”

Is this world ending?

“Yes, in about a few billion years, but definitely not because of this new RDP CVE. The CVSS base, temporal, and environmental scores for CVE-2019-9510 are all within the 4–5 range (out of 10). A big reason for that is the limited scope and “perfect storm” required to take advantage of the RDP NLA weakness. While this affects all modern versions of Microsoft Windows (Windows 10 1803, Server 2019 and later) Remember, this only impacts specific versions of Windows (Windows 10 1803 and Windows Server 2019), and, attackers need to be in a position to either watch for these events to take place on their own (as networks are not perfect) or initiate potentially noisy network actions to facilitate the disconnect and take advantage of a (hopefully) brief window of opportunity.

“It is important to note that this is a potential vector for finely tuned targeted attacks. It’s also likely to be used by penetration testers or red teams, especially if the weakness stays in NLA-protected RDP in future Windows versions.

“For now, Rapid7 Labs suggests that organisations focus on ensuring you’re safe from “BlueKeep” before addressing this new attack vector and focus on communication and detection vs. falling prey to any media- or industry-driven hype. If you have the inclination, you could set up an Active Directory GPO to automatically kill disconnected RDP sessions, as described here, but again, this is not a “drop what you’re doing and solve this now” kind of problem — this is more along the lines of doing something to get your IT management off your back while you get back to work on continuous scanning and patch management and other important tasks.”

Rapid7 Managed Detection and Response team members and internal security researchers are investigating whether it might be possible to detect abnormal activity around this potential attack vector by monitoring the following Windows Events:

Event ID: 24

Provider Name: Microsoft-Windows-TerminalServices-LocalSessionManager

Description: “Remote Desktop Services: Session has been disconnected:”

Event ID: 25

Provider Name: Microsoft-Windows-TerminalServices-LocalSessionManager

Description: “Remote Desktop Services: Session reconnection succeeded:”

Event ID: 40

Provider Name: Microsoft-Windows-TerminalServices-LocalSessionManager

Description: “Session <X> has been disconnected, reason code <Z>”

in: `%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx`

or:

Event ID: 4778

Provider Name: Microsoft-Windows-Security-Auditing

Description: “A session was reconnected to a Window Station.”

Event ID: 4779

Provider Name: Microsoft-Windows-Security-Auditing

Description: “A session was disconnected from a Window Station.”

in: `%SystemRoot%\System32\Winevt\Logs\Security.evtx`.