RDP exploit watch: 5 million RDP endpoints found on internet

RDP exploit watch: 5 million RDP endpoints found on internet

Summary: Dan Kaminsky scans 300 million IP addresses (approximately 8.3% of the Internet) and finds about 415,000 "speaking the RDP protocol."


Security researcher Dan Kaminsky (right) has identified approximately five million internet-accessible RDP endpoints that are potentially sitting ducks for a network worm exploiting the MS12-020 vulnerability.

Kaminsky, best known for his work finding -- and helping to fix -- a flaw in the DNS infrastructure, scanned 300 million IP addresses (approximately 8.3% of the Internet) and found about 415,000 "speaking the RDP protocol."

"Extrapolating from this sample, we can see that there’s approximately five million RDP endpoints on the Internet today," Kaminsky warned.

He noted that some of those endpoints may already have applied the MS12-020 patch, which provides cover for a "critical" code execution --  remote, pre-authentication, network-accessible -- vulnerability in Microsoft’s implementation of the RDP protocol.

However, Kaminsky's scan results show that RDP is "an enormously deployed service, across most networks in the world (21767 of 57344 /16's, at 8.3% coverage)."

follow Ryan Naraine on twitter

"There's a very good chance that your network is exposing some RDP surface. If you have any sort of crisis response policy, and you aren’t completely sure you’re safe from the RDP vulnerability, I advise you to invoke it as soon as possible," Kaminsky added.

His warnings follow a mad scramble among security researchers -- white hat and black hat -- to create reliable exploit code targeting this vulnerability.  There are numerous examples of proof-of-concept code that crashes an unpatched Windows machine but none of the public examples show remote code execution.

It’s important to note that the vulnerable code is reachable only if RDP is enabled and a mitigation feature in RDP called NLA (network level authentication) moves it to post-authentication which makes this vulnerability less likely to be wormed.  There are instructions here to enable NLA on Windows to reduce the severity of a potential attack.


Topics: Networking, Browser, Microsoft, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • What?

    He finds 415,000 end points that are listening on port 3389 -- not necessarily RDP nor unpatched RDP servers somehow he "extrapolates" that there are about 5 Million? How exactly does he get from point A to point B?

    Based on the evidence, I extrapolate that the author of this article and Kaminsky are over-reacting based on rudimentary port scanning with no basis in fact.
    Your Non Advocate
    • It's done all the time

      From Dan's blog:
      "On 16-Mar-2012, I initiated a scan across approximately 8.3% of the Internet (300M IPs were probed; the scan is ongoing). 415K of ~300M IP addresses showed evidence of speaking the RDP protocol (about twice as many had listeners on 3389/tcp always be sure to speak a bit of the protocol before citing connectivity!)

      Extrapolating from this sample, we can see that theres approximately five million RDP endpoints on the Internet today."

      Use a random sample of sufficient size, extrapolate a result. It isn't hard to work out RDP connection listeners (as opposed to other services), listen to the first dozen bytes.

      The results should come as no surprise but are worrying. Good luck Ye and friends;-)
      Richard Flude
    • He finds 415,000 end points that are listening on port 3389

      He finds about twice as many just listening.

      He finds 415,000 [b] responding to [/b] the protocol.
      Bad news.
  • just for fun

    I have a few locations where I port map common ports to a phoney dmz machine with nothing on it.
  • backdoor

    No solution posted on how to fix this RDP problem here in ZDNET?
    Probably just disabling that RDP process which is hidden in all of my windows machines (including XP's), and acts like a rootkit by hiding its presence.

    Another undocumented feature of this shiny OS's?
    • Apply KB2621440

      That is MS12-020, dude.
  • Linux isn't affected then?

    I don't know why anyone who wants a secure site uses Windows as the server OS.
    • Because windows can be secure..

      As long as its:
      * not connected to a network
      * Uses strong password
      * Have the cdrom disabled
      * have the usb disabled
      * and never stayed logged in
      Anthony E
  • It's ok for you techies

    but I wouldn't have any idea what he is talking about, and even less idea whether I need to check it and what to do about it.
  • how to check if you are vulnerable...

    a mate and I have built a little web based tool at http://rdpcheck.com that lets you check your exposure to an attack on RDP by a hacker or RDP worm from the Internet. it's also got practical, easy to understand advice on what anyone (from home right up to enterprise) can do to protect themselves from this bug.