RDP Exposure at 5 Million

Tuesday, March 20, 2012 @ 01:03 PM gHale

In the wake of a release of the patch for the Remote Desktop Protocol (RDP) bug and then the publication of exploit code for it, network security researcher, Dan Kaminsky, thought it would be a good idea to scan the Internet.

He started the scan Friday and hit 300 million IP addresses. What he found is in that address space, there were about 415,000 machines communicating using some part of the RDP protocol.

Attack Code Leak on the MAPP
Patch Tuesday also Exploit Tuesday
Bounty for Patched RDP Exploit
Microsoft Shuts RDP Hole

Do some quick math and there are five million machines vulnerable to possible attacks if they don’t patch right away.

“Extrapolating from this sample, we can see that there’s approximately five million RDP endpoints on the Internet today. Now, some subset of these endpoints are patched, and some (very small) subset of these endpoints aren’t actually the Microsoft Terminal Services code at all. But it’s pretty clear that, yes, RDP is actually an enormously deployed service, across most networks in the world,” Kaminsky said.

“There’s something larger going on, and it’s the relevance of a bug on what can be possibly called the Critical Server Attack Surface. Not all bugs are equally dangerous because not all code is equally deployed. Some flaws are simply more accessible than others, and RDP — as the primary mechanism by which Windows systems are remotely administered — is a lot more accessible than a lot of people were aware of.”

RDP sees use in enterprise networks and small business environments for remote management of machines. In larger networks that have tight administration and regular patching programs and schedules, administrators will address the issue either through patching or by disabling RDP on machines.

But in smaller networks that may not have a full-time administrator or IT staff, the problem is somewhat more slippery. If business owners are not aware of RDP or what it’s for, they may also not realize the importance of patching the vulnerability.

That leaves a large potential target base for attackers, even if the majority of enterprise administrators patch their vulnerable machines. Kaminsky contrasted the RDP vulnerability to a serious remote code execution flaw in Telnet that surfaced last year and was a major threat. But the number of vulnerable machines in that case was in the low tens of thousands, rather than the millions.

“RDP’s just on a different scale. There’s a very good chance that your network is exposing some RDP surface,” Kaminsky said. “If you have any sort of crisis response policy, and you aren’t completely sure you’re safe from the RDP vulnerability, I advise you to invoke it as soon as possible.”

Leave a Reply

You must be logged in to post a comment.