Check Point Research had previously shown a vulnerability in RDP could give bad actors the means to connect to the client. By exploiting one of the newly discovered flaws, an attacker can branch out from the RDP and control an entire local network. In its research, Check Point found 16 major vulnerability from 25 security issues. These flaws were observed in the open source FreeRDP client and rdesktop. More worryingly, some vulnerabilities were also found in Microsoft’s own RDP technology. Microsoft said that the research “is valid but does not meet our bar for servicing” and did not release a patch. The company has now changed its mind and send out a patch for the remote execution bug CVE-2019-0887. Rolled out last month, the fix sorts “how Remote Desktop Protocol handles clipboard redirection”.
Fix
It seems Microsoft decided to act on the vulnerability after it emerged it could be exploited to create a sandbox escape or virtual machine (VM) Escape in the company’s Hyper-V Manager. Itkin and Microsoft security engineer Dana Baril presented how the flaw can move from RDP to Hyper-V at a Black Hat event this week. A connection was discovered between RDP and Hyper-V through the use of remote desktop in Enhanced Sessions, a default setting in Hyper-V. “It turns out that RDP is used behind the scenes as the control plane for Hyper-V,” Itkin explains. “Instead of reimplementing screen-sharing, remote keyboard and synchronized clipboard features, Microsoft decided that all these features are already implemented as part of RDP, so why not use it in this case as well?”
