Remote Desktop Vulnerabilities: Identifying the Exposure and Patch Using Osquery

Posted by Guillaume Ross on 5/15/19 10:13 AM
Guillaume Ross
Find me on:

Microsoft has released an important patch to a remotely exploitable Remote Desktop Services (RDS) vulnerability. This vulnerability does not require any authentication and allows an attacker to run code remotely. Expect public exploits to start appearing soon.

Similar to bugs used by exploits like EternalBlue, it has the potential of becoming wormable.

While not necessarily easy to exploit, it is still serious enough that Microsoft released patches for all affected versions of Windows going as far back as XP, which normally does not get security updates. Windows 2012 and newer are not affected.

What should be done:

  1. Halt Any Exposure of RDS to the internet. RDS is often exposed to the Internet to provide remote access to workers or support staff. It is rarely patched frequently enough, configured to use proper transport encryption, and accessed with two-factor authentication. It is almost always a risky proposition to have RDS on the Internet.
  2. Deploy patches as soon as possible, and verify that it was done on all your Windows systems with RDS enabled.

How osquery or Uptycs can help:

Identifying Internet-Exposed Remote Desktop instances

Many systems on the Internet scan for open RDS instances, trying to brute-force their way in. You can easily spot internal instances that are listening to the Internet by monitoring the connections to them. Though the vulnerability only affects specific versions of Windows, we highly encourage you to consider any Internet exposed RDS as a vulnerability.

Simply query process_open_sockets where the local port is 3389, and the remote_address is not localhost or part of your network’s address space.

SELECT *

FROM process_open_sockets

WHERE local_port=3389

AND remote_address NOT LIKE '10.%'

AND remote_address NOT LIKE '172.16%'

AND remote_address NOT LIKE '192.168%'

AND remote_address NOT LIKE '0.0.0.0'

AND remote_address NOT LIKE '::';

AND remote_address NOT LIKE '0';

 

Any result returned will indicate a connection to port 3389, originating from unknown sources, on one of your endpoints. You then need to fix firewall rules that would allow this to occur, and run this query frequently to spot any other control failure.

To keep things simple, we included 172.16%, although this won’t cover all possible IPs under 172.16.0.0/22. If you use those ranges, we recommend you list the subnets you do not use in your query.

Uptycs alerting is built to handle non-RFC1918 IPs in a more scientific manner, but considering the amount of scanning and brute-forcing that occurs on RDS, this approach should provide a very valuable and quick way to identify machines to protect.

Identifying the presence of the new - or any - Windows patch

The patches table in osquery is especially useful in this situation.

As we know the patch is KB4500331, all we need to do is query for its presence, as well as check if the operating system has been identified as vulnerable. Windows 2008 R2 is the most recently identified and is represented by version 6.1.

The vulnerable versions that we can query with osquery are therefore:

  • 6.1 - Windows 7 and 2008 R2
  • 6.0 - 2008 (yes, and Vista - but who’s using that?)

Note: Older versions 2003 R2, 2003, XP are not supported by osquery.

SELECT patches.hotfix_id, os_version.major, os_version.minor from patches CROSS JOIN os_version WHERE patches.hotfix_id = 'KB4500331' AND os_version.major < 7 AND os_version.minor < 2;

 

Results indicate a machine that was previously vulnerable, but has been patched properly.

Stay safe!

While patching may take precedence this week, and new vulnerabilities are constantly discovered, ensuring services that use protocols like RDP and SMB/RPC are not exposed to the Internet will have a long-lasting impact on your security posture. Once you have ensured you do not see any exposure using osquery, you may want to scan all of your Internet IPs for these ports on a daily basis. One way to do this is by using a network scanning tool like nmap or MASSCAN to ensure no system is exposed, but not reporting to your centralized osquery platform.

Then, the next step would be ensuring that those same services are only exposed to people who need them, on systems that need them. You can customize the process_open_sockets query to see where lateral movement is done over port 3389, 445 or even 22, to help you plan further segmentation to ensure it’s only exposed where needed.


Special thanks to defensivedepth for helping test the query and finding a nice way of identifying only vulnerable OS versions.

Remarketing Ad_ Intro to osquery (Fun)

Topics: osquery tutorial, osquery, Windows

Uptycs Blog | Cloud Security Trends and Analysis

Welcome! The Uptycs blog is for security professionals and osquery enthusiasts interested in exploring new ideas in cloud security. We hope you'll enjoy our blog enough to subscribe, share and comment.

Find Uptycs Everywhere

Subscribe for New Posts

Recommended Reads