Write Review

Microsoft Releases A Patch For The Security Bug On Its RDP Pipes That Opens Users To Data Theft

CyberArk has recently uncovered a vulnerability in Windows Remote Desktop Services. Microsoft has quickly addressed the issue, identifying the bug as CVE-2022-21893 and releasing a fix in its latest security update. patch stickers on the server

The CVE-2022-21893 vulnerability could allow any standard, unprivileged user connected to a remote machine via remote desktop to gain file system access to other users’ client machines. In turn, this “Joe-Schmoe user” can view and modify other connected users’ data and even impersonate their identity. Therefore, the security bug could lead to data privacy issues, lateral movement, and privilege escalation.

The Windows security bug affects most Windows versions used today, even the ones from the best RDP hosting providers. This majority includes the Windows Server 2012 R2 and all consequent releases, up to the latest Windows version (client and server editions).

CyberArk, the company that has revealed the CVE-2022-21893 vulnerability, went into great detail to explain how everything went “behind the scenes.”

Essentially, the RDP splits a single connection into multiple logical connections for handling different data types. While some channels are responsible for the core functionality of RDP, others handle protocol extensions. Furthermore, the RDS service handles some channels, and there’s an API for working with virtual channels, thus allowing writing an application that communicates with RDP clients over custom virtual channels.

One of the most frequent ways for interprocess communication in Windows and working in a client/server model are the named pipes.

Usually, one server process handles multiple clients by creating multiple pipe server instances. The rule is, each time a client connects to a named pipe server, it connects to one instance. If there’s more than one available instance, the client will connect to the one created first, a process known as FIFO ordering.

However, the problem is, different processes that are possibly malicious can create pipe server instances of the same name. And combined with the FIFO order, this can cause significant issues.

Processes handling virtual channels use named pipes for passing the virtual channel data to and from the RDS service. The name of this pipe is “TSVCPIPE-” followed by a GUID. The service generates the GUID once and then uses it for all sessions. So, all pipe instances will be with the same GUID.

CyberArk described the vulnerability in the following way on its website:

A process can create pipe server instances with the name of an existing pipe server if the security descriptor of the first instance allows it. It turns out that the TSVCPIPE security descriptor allows any user to create pipe server instances of the same name. Moreover, the data is sent over the pipes in clear text and without any integrity checks.

The company explained how the attack scenario went step-by-step or how it all works in reality.

First, the attacker connects to a remote machine via RDP, lists the open named pipes, and finds the full name of the TSVCPIPE pipe. Then, the attacker creates a pipe server instance with the same name and waits for a new connection. RDS takes over and creates its pipe server instance for the session and a pipe client that will attempt to connect to it once a new connection arrives. The FIFO processing then causes the pipe client to connect to the attacker pipe server instance instead of the one created by the RDS service. In turn, the attacker can connect as a client to the real RDS pipe server instance and hold both ends of the connection; they can act as a man-in-the-middle, passing the data back and forth, viewing, and (optionally) modifying it in the process.

So, this vulnerability is a clear example of an unconventional attack vector targeting RDP.

Luckily, Microsoft was quick to respond. CyberArk reported the vulnerability to Microsoft with the initial POC in August 2021. The Microsoft Security Response Center demonstrated excellent cooperation and acknowledged the reported behavior only a few days later. They rated the vulnerability “important” and shared their severity assessment. Shortly after, they updated Microsoft regarding the RDPDR scenario and sent a new POC. The company assigned CVE-2022-21893 and Microsoft released a patch fixing the issue on the 11th of January, 2022.

Each Windows user should apply this patch since the vulnerability affects almost all Windows versions. The app developers using custom virtual channels should also check whether they are vulnerable and conduct their security assessment to prevent unnecessary harm.