Security Hazard in RDP

Cendio Systems has discovered a serious security problem in Windows Terminal Services. The system is vulnerable to "Man-In-The-Middle-Attacks".

Introduction Cendio Systems has investigated the Remote Desktop Protocol (RDP), the protocol used to access Windows Terminal Services and found that the protocol is vulnerable to "Man In The Middle Attacks" (in the following referred to as "MITM"-attack). An attack of this type means a third party eavesdrops, and in some cases modifies, the traffic between two computers by gaining access to the network path between them.

Vulnerable despite encryption Although RDP is encrypted, it lacks functionality to verify the identity of the server it's communicating with. This opens the possibility for a third party to gain control of the network stream by exchanging the cryptographic keys with it's own. The attack leads to a situation where all communication between client and server can be read in cleartext without the knowledge of either party.

Microsoft has verified the problem Cendio swiftly communicated the issue to Microsoft and they responded that they have verified the problem. Microsoft did remark that they never had claimed to have the functionality, though, but also that they were "researching the feasibility" to remedy the problem.

A Security Hazard Erik Forsberg, security specialist at Cendio, says: "We find this a major threat against network security. We know of several organisations that use or plan to use RDP as part of their server based computer systems. If sensitive information is transferred using RDP, there is a clear and present danger that the network will be compromised. It's important to stress the fact that this vulnerability means that the logon password can be extracted in clear text."

Including Windows Server 2003 Cendio has tested the vulnerability with both version 4 and 5 of RDP using Windows 2000 Terminal Server, Windows 2000 Advanced Server and even the upcoming Windows Server 2003. We found the same problem in all cases, which strongly suggests the problem exists in earlier versions of Windows as well.

ThinLinc is still secure This issue does not concern ThinLinc. Inge Wallin, CTO of Cendio, explains: "We use SSH for the communication between clients and terminal server. This protocol do have verification of server identification when connecting. If there is a MITM between the client and the server, the connection will be aborted before any sensitive information is sent".

Read the report at BugTraq: http://www.securityfocus.com/archive/1/317244/2003-04-01/2003-04-07/0

Information about MITM-attacks http://www.cendio.se/files/mitm_en.pdf

Information about ThinLinc: http://www.thinlinc.com/

For more information concerning this issue, please contact Erik Forsberg or Inge Wallin.