Microsoft Has Already Patched a Vulnerability in Windows RDP Twice

Vulnerability in Windows RDP

This week, CyberArk researchers shared technical information about a named pipe RDP (Remote Desktop Protocol) vulnerability in Windows, for which Microsoft had to release two patches.

The RCE vulnerability CVE-2022-21893 was fixed on January 2022 Patch Tuesday, but the attack vector was not fixed. In April 2022, Microsoft already fixed the new bug CVE-2022-24533.

Let me remind you that we wrote that Sarwent malware opens RDP ports on infected machines, and also that Information Security Specialists Discovered a 0-day Vulnerability in Windows Search.

CVE-2022-21893 is a Windows Remote Desktop Services (RDS) vulnerability that could allow an unprivileged user via RDP to access the file system of connected users’ devices.

The original issue was caused by improper handling of named pipe permissions in Remote Desktop Services, which allowed non-admin users to take over RDP virtual channels in other connected sessions. The named pipe was created in such a way that it allowed every user on the system to create additional named pipe server instances with the same name.the researchers write.

The vulnerability allows an attacker to view and modify the contents of the clipboard, sent files, and smart card PINs. An attacker can impersonate a logged in user and gain access to the victim’s connected devices (USB devices, hard drives, etc.).

This can lead to sensitive data leakage, lateral movement and privilege escalation.CyberArk noted.

According to the researchers, the vulnerability exists due to improper handling of RDS named pipe permissions, which allows a user with normal privileges to “hijack RDP virtual channels in other connected sessions.”

A named pipe allowed each user on the system to create additional pipe servers with the same name.CyberArk explained.

Microsoft changed the permissions on pipes and prevented the regular user from creating named pipe servers. However, this did not remove the user’s ability to set permissions for subsequent instances. After the April fix, a new Globally Unique Identifier (GUID) is generated for new channels that prevents an attacker from predicting the name of the next channel.

At the moment, there are no vulnerabilities, and users are safe. Experts recommended updating the service to the latest version to ensure data protection.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *