Tripwire’s Vulnerability and Exposures Research Team (VERT) identified an issue with the FIPS-based implementation of message authentication code (MAC) signature verification on versions of RDP (Version 8) that shipped with Windows 8.1 and could allow man-in-the-middle (MitM) attacks to modify RDP content.
The MAC signature is used to verify message integrity and authenticity, making it a crucial component of the RDP message exchange. When using Windows 8.1, the RDP Server does not validate this signature, which means that a random 8 byte value could be sent and normal operation would continue.
Microsoft has explained how to calculate the MAC signature here http://msdn.microsoft.com/en-us/library/cc240790.aspx.
RDP – What is it?
Remote Desktop Protocol is a proprietary protocol developed by Microsoft. RDP allows you to use a graphical interface to connect to another computer via the network.
FIPS – What is it?
FIPS or Federal Information Processing Standards is a set of security and communication criteria published by the US Government for use by all non-military government agencies. Microsoft RDP can be configured to use FIPS-compliant encryption.
In these examples the MAC signature is “tripwire”. The data signature can be set to anything as long as it is 8 bytes. For testing purposes Windows 7 didn’t have the vulnerable version of RDP.
In the ClientInfo packet, the mac signature was set to “tripwire”. After the server received the ClientInfo packet, the connection was dropped. This occurs because the signature verification failed.
As with the last example, we set the MAC signature to “tripwire” but the connection continues due to the flaw in the MAC signature verification process.
Microsoft has released a patch today that resolves this issue. If, for some reason, you cannot install the patch, you can disable FIPS and configure RDP to use NLA (Network Level Authentication).
- Patch Tuesday Rundown for June 2014
- To Pen Test or Not to Pen Test: That is the Question…
- So You Like Pain and Vulnerability Management?
- Traceroute is Not a Vulnerability
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Title image courtesy of ShutterStock