RDP exploit watch: 5 million RDP endpoints found on internet
Summary: Dan Kaminsky scans 300 million IP addresses (approximately 8.3% of the Internet) and finds about 415,000 "speaking the RDP protocol."
Security researcher Dan Kaminsky (right) has identified approximately five million internet-accessible RDP endpoints that are potentially sitting ducks for a network worm exploiting the MS12-020 vulnerability.
Kaminsky, best known for his work finding -- and helping to fix -- a flaw in the DNS infrastructure, scanned 300 million IP addresses (approximately 8.3% of the Internet) and found about 415,000 "speaking the RDP protocol."
"Extrapolating from this sample, we can see that there’s approximately five million RDP endpoints on the Internet today," Kaminsky warned.
He noted that some of those endpoints may already have applied the MS12-020 patch, which provides cover for a "critical" code execution -- remote, pre-authentication, network-accessible -- vulnerability in Microsoft’s implementation of the RDP protocol.
However, Kaminsky's scan results show that RDP is "an enormously deployed service, across most networks in the world (21767 of 57344 /16's, at 8.3% coverage)."
"There's a very good chance that your network is exposing some RDP surface. If you have any sort of crisis response policy, and you aren’t completely sure you’re safe from the RDP vulnerability, I advise you to invoke it as soon as possible," Kaminsky added.
His warnings follow a mad scramble among security researchers -- white hat and black hat -- to create reliable exploit code targeting this vulnerability. There are numerous examples of proof-of-concept code that crashes an unpatched Windows machine but none of the public examples show remote code execution.
It’s important to note that the vulnerable code is reachable only if RDP is enabled and a mitigation feature in RDP called NLA (network level authentication) moves it to post-authentication which makes this vulnerability less likely to be wormed. There are instructions here to enable NLA on Windows to reduce the severity of a potential attack.
ALSO SEE:
- Exploit code published for RDP worm hole; Does Microsoft have a leak?
- Ten little things to secure your online presence
- Microsoft: Expect exploits for critical Windows worm hole
- Microsoft confirms MAPP proof-of-concept exploit code leak
- Does one bad apple spoil Microsoft's vulnerability sharing program?
- MS Patch Tuesday heads-up: 6 bulletins, 1 critical
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
What?
Based on the evidence, I extrapolate that the author of this article and Kaminsky are over-reacting based on rudimentary port scanning with no basis in fact.
It's done all the time
"On 16-Mar-2012, I initiated a scan across approximately 8.3% of the Internet (300M IPs were probed; the scan is ongoing). 415K of ~300M IP addresses showed evidence of speaking the RDP protocol (about twice as many had listeners on 3389/tcp always be sure to speak a bit of the protocol before citing connectivity!)
Extrapolating from this sample, we can see that theres approximately five million RDP endpoints on the Internet today."
Use a random sample of sufficient size, extrapolate a result. It isn't hard to work out RDP connection listeners (as opposed to other services), listen to the first dozen bytes.
The results should come as no surprise but are worrying. Good luck Ye and friends;-)
He finds 415,000 end points that are listening on port 3389
He finds about twice as many just listening.
He finds 415,000 [b] responding to [/b] the protocol.
Bad news.
just for fun
backdoor
Probably just disabling that RDP process which is hidden in all of my windows machines (including XP's), and acts like a rootkit by hiding its presence.
Another undocumented feature of this shiny OS's?
Apply KB2621440
Linux isn't affected then?
Because windows can be secure..
* not connected to a network
* Uses strong password
* Have the cdrom disabled
* have the usb disabled
* and never stayed logged in
It's ok for you techies
how to check if you are vulnerable...