Microsoft Remote Desktop Protocol Memory Corruption Vulnerability

Act NowICS-CERT ICSA-12-079-01Dec 21, 2012

Summary

Microsoft Remote Desktop Protocol (RDP) in Windows XP, Vista, Server 2003, 2008, and Windows 7/Server 2008 R2 systems contains a memory corruption vulnerability (CWE-94) that can be triggered remotely without authentication. An attacker sending malformed RDP packets to port 3389 could cause memory corruption and potentially execute arbitrary code. No vendor patches are available for Windows XP, Vista, Server 2003, or Server 2008 systems as these platforms are end-of-life. Windows 7 and Server 2008 R2 systems may have patches available (KB2621440, KB2667402) depending on configuration.

What this means

What could happen

A memory corruption flaw in Remote Desktop Protocol (RDP) could allow an attacker to execute arbitrary code on Windows systems running RDP services, potentially taking control of critical infrastructure servers or engineering workstations.

Who's at risk

Water utilities and electric utilities relying on Windows-based engineering workstations, HMI (human-machine interface) servers, SCADA data historian systems, and remote management infrastructure are affected. This includes any facility using Windows XP, Vista, Server 2003, 2008, or early Windows 7/Server 2008 R2 systems with RDP enabled for remote access or maintenance.

How it could be exploited

An attacker with network access to port 3389 (RDP) can send specially crafted RDP packets to trigger a memory corruption vulnerability, potentially executing arbitrary code without authentication. This could compromise control servers or workstations managing industrial processes.

Prerequisites

Network access to RDP port (TCP 3389)
No authentication required
RDP service must be running on the target system

remotely exploitableno authentication requiredlow complexityhigh EPSS score (87.4%)no patch available for legacy systemsaffects engineering and management systems

Exploitability

Likely to be exploited — EPSS score 87.4%

Metasploit module available — weaponized exploitView module ↗

Public Proof-of-Concept (PoC) on GitHub (1 repository)

Affected products (18)

18 EOL

ProductAffected VersionsFix Status

Windows XP Service Pack 3 (KB2621440): vers:all/*All versionsNo fix (EOL)

Windows Server 2003 Service Pack 2 (KB2621440): vers:all/*All versionsNo fix (EOL)

Windows Server 2003 x64 Edition Service Pack 2 (KB2621440): vers:all/*All versionsNo fix (EOL)

Windows Server 2003 with SP2 for Itanium-based Systems (KB2621440): vers:all/*All versionsNo fix (EOL)

Windows Vista x64 Edition Service Pack 2 (KB2621440): vers:all/*All versionsNo fix (EOL)

Remediation & Mitigation

0/5

Do now

0/2

HARDENINGRestrict RDP access to trusted networks using firewall rules; do not expose RDP to the internet or untrusted network segments

HARDENINGDisable RDP services on systems that do not require remote access, particularly older Windows systems running XP, Vista, or Server 2003/2008

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

Windows XP Service Pack 3 (KB2621440): vers:all/*

HOTFIXFor Windows 7 and Server 2008 R2 systems, apply vendor patches (KB2621440 or KB2667402 as applicable) during scheduled maintenance windows

Mitigations - no patch available

0/2

The following products have reached End of Life with no planned fix: Windows XP Service Pack 3 (KB2621440): vers:all/*, Windows Server 2003 Service Pack 2 (KB2621440): vers:all/*, Windows Server 2003 x64 Edition Service Pack 2 (KB2621440): vers:all/*, Windows Server 2003 with SP2 for Itanium-based Systems (KB2621440): vers:all/*, Windows Vista x64 Edition Service Pack 2 (KB2621440): vers:all/*, Windows Server 2008 for 32-bit Systems Service Pack 2* (KB2621440): vers:all/*, Windows Server 2008 for Itanium-based Systems Service Pack 2\ (KB2621440): vers:all/*, Windows 7 for 32-bit Systems and Windows 7 for 32-bit Systems Service Pack 1\ (KB2621440): vers:all/*, Windows 7 for x64-based Systems and Windows 7 for x64-based Systems Service Pack 1\ (KB2621440): vers:all/*, Windows 7 for x64-based Systems and Windows 7 for x64-based Systems Service Pack 1\ (KB2667402): vers:all/*, Windows Server 2008 R2 for x64-based Systems and Windows Server 2008 R2 for x64-based Systems Service Pack 1*\ (KB2621440): vers:all/*, Windows Server 2008 R2 for Itanium-based Systems and Windows Server 2008 R2 for Itanium-based Systems Service Pack 1\ (KB2621440): vers:all/*, Windows Server 2008 R2 for Itanium-based Systems and Windows Server 2008 R2 for Itanium-based Systems Service Pack 1\ (KB2667402): vers:all/*, Windows XP Professional x64 Edition Service Pack 2 (KB2621440): vers:all/*, Windows Vista Service Pack 2 (KB2621440): vers:all/*, Windows Server 2008 for x64-based Systems Service Pack 2*\ (KB2621440): vers:all/*, Windows 7 for 32-bit Systems and Windows 7 for 32-bit Systems Service Pack 1\ (KB2667402): vers:all/*, Windows Server 2008 R2 for x64-based Systems and Windows Server 2008 R2 for x64-based Systems Service Pack 1*\ (KB2667402): vers:all/*. Apply the following compensating controls:

HARDENINGSegment engineering networks and control systems from general IT networks to limit RDP exposure and lateral movement if compromise occurs

HARDENINGEvaluate replacement or upgrade timelines for end-of-life Windows XP, Vista, Server 2003, and Server 2008 systems; plan migration to supported platforms

CVEs (1)

CVE-2012-0002

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/0d588e27-8d5a-4901-80f6-d2c0abc557fa

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.