Skip to content ↓ | Skip to navigation ↓

Tripwire’s Vulnerability and Exposures Research Team (VERT) identified an issue with the FIPS-based implementation of message authentication code (MAC) signature verification on versions of RDP (Version 8) that shipped with Windows 8.1 and could allow man-in-the-middle (MitM) attacks to modify RDP content.

The MAC signature is used to verify message integrity and authenticity, making it a crucial component of the RDP message exchange. When using Windows 8.1, the RDP Server does not validate this signature, which means that a random 8 byte value could be sent and normal operation would continue.

Microsoft has explained how to calculate the MAC signature here

RDP – What is it?

Remote Desktop Protocol is a proprietary protocol developed by Microsoft. RDP allows you to use a graphical interface to connect to another computer via the network.

FIPS – What is it?

FIPS or Federal Information Processing Standards is a set of security and communication criteria published by the US Government for use by all non-military government agencies. Microsoft RDP can be configured to use FIPS-compliant encryption.


In these examples the MAC signature is “tripwire”. The data signature can be set to anything as long as it is 8 bytes. For testing purposes Windows 7 didn’t have the vulnerable version of RDP.

Windows 7 – click image to enlarge

In the ClientInfo packet, the mac signature was set to “tripwire”.  After the server received the ClientInfo packet, the connection was dropped. This occurs because the signature verification failed.

Windows 8 – click image to enlarge

As with the last example, we set the MAC signature to “tripwire” but the connection continues due to the flaw in the MAC signature verification process.

Fix/Work Around

Microsoft has released a patch today that resolves this issue. If, for some reason, you cannot install the patch, you can disable FIPS and configure RDP to use NLA (Network Level Authentication).


Related Articles:



picCheck out Tripwire SecureScan™, a free, cloud-based vulnerability management service for up to 100 Internet Protocol (IP) addresses on internal networks. This new tool makes vulnerability management easily accessible to small and medium-sized businesses that may not have the resources for enterprise-grade security technology – and it detects the Heartbleed vulnerability.


picThe Executive’s Guide to the Top 20 Critical Security Controls

Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].


Title image courtesy of ShutterStock