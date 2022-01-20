A new vulnerabilities in the RDP protocol was discovered by CyberArk and has already received a correction from Microsoft. The vulnerability allows an attacker to gain access to client machines connected to a vulnerable server, thus allowing them to impersonate other users and potentially obtain an increase in privileges.

New vulnerability in the RDP protocol discovered by CyberArk

The vulnerability discovered by CyberArk, described in a technical article on the company’s blog, requires an attacker to already have access via RDP to a compromised machine. In such a case, the attacker can exploit a lack of checks in the RDP server for intercept connections from clients and obtain, as well as potentially modify, the data contained therein. For example, an attacker who exploited this vulnerability could obtain the credentials of logged in users, potentially gaining access to users with administrative level privileges.

It is, in fact, an attack that allows you to easily become a man in the middle, that is, a third party capable of intercepting communications, reading them and modifying them. Through this vulnerability, moreover, it is possible gain access to any resource on a client machine that connects to the RDP server, including the smart card. CyberArk demonstrated how it is possible to gain access to the smart card and its PIN when a user connects to a server controlled by an attacker; this way the attacker can connect to any other resource on the victim’s network using his or her credentials.

The vulnerability affects all versions of Windows Server examined, ie from 2008 R2 onwards. Microsoft has already released corrective patches for all supported versions of Windows.