2

I performed a openVAS scan on a Windows Server 2008 R2 and got a report for a high threat level vulnerability called Microsoft RDP Server Private Key Information Disclosure Vulnerability. An remote attacker could perform a man-in-the-middle attack to gain access to a RDP session.

Affected Software is Microsoft RDP 5.2 and below.
My server uses RDP 7.1, is this alarm a false alarm?

Security Advisor Pages say: Solution Status Unpatched, No remedy...

References
http://secunia.com/advisories/15605/
http://xforce.iss.net/xforce/xfdb/21954/
http://www.oxid.it/downloads/rdp-gbu.pdf
CVE: CVE-2005-1794
BID:13818

hub
  • 342
  • 1
  • 4
  • 15
  • 2
    Not a Windows guy so I can't tell you for sure if this is or isn't a problem, but you need to look at how OpenVAS is deciding you're vulnerable. If it's actually trying an attack against the vulnerability and succeeding (or getting far enough to say you might have a problem) there's a chance your system has been compromised in some way. You could also try a scan against a known clean (fresh install) Win2K8 system to see if you get the same result. – voretaq7 Sep 06 '12 at 21:08
  • openVAS just seems to scan ports in the mode I used, the system is definitely clean. But youre right, if one is banner grabbing he should find out about the RDP version. – hub Sep 06 '12 at 21:13
  • Banner grabbing is what I'd expect (which is why I'd be a little concerned by this message -- I assume Microsoft has revved the RDP version number since 2005). it's also possible the OpenVAS test is poorly written (bad test condition, etc) -- If you're reasonably sure it's a false alarm report it to them so they can fix the test :-) – voretaq7 Sep 06 '12 at 21:20
  • I just checked the version installed on my server and its 7.1 like its used to be at `Windows Server 2008 R2`. A little bit strange openVAS directly creates a high threat level report when detecting a open port 3389... – hub Sep 06 '12 at 21:25
  • I've edited my answer to explain why that happens. – Michael Hampton Sep 06 '12 at 21:27

2 Answers2

5

It was fixed in 5.3, (actually 6.0 since there wasn't a 5.3, but the vulnerability tests look for 5.3) so if you have 7.1 then it does not apply to your system.

Unfortunately it doesn't appear to be possible to detect the exact RDP version remotely, as the RDP server returns the same version number for anything 5.0 and higher. This vulnerability, then, would always be reported if an RDP server is present on the target host.

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
  • Great, I'm happy to hear that :-3 false alarm after all... – hub Sep 06 '12 at 21:15
  • 3
    Version numbers that don't indicate the version of the software that's actually running -- What will Microsoft think of next? :-/ – voretaq7 Sep 06 '12 at 22:13
  • 2
    @voretaq7 Let me tell you about Windows 7 (6.1) and Windows 8 (6.2)! – Shane Madden Sep 07 '12 at 04:39
  • 2
    @ShaneMadden I'm still running Windows Me because I'm an individualist, but I'm going to upgrade to [Vizsla](http://en.wikipedia.org/wiki/Vizsla) soon - they're too adorable to resist. – voretaq7 Sep 07 '12 at 05:24
  • 1
    You are still vulnerable unless you have configured the server to only use the newer protocol. Once you've changed the configuration, OpenVAS will no longer report the vulnerability. – Harry Johnston Aug 15 '14 at 00:01
  • 1
    Sorry, make that "potentially vulnerable" - if you are using up-to-date clients then you'll see a warning if a MitM attempts to downgrade the connection to an unauthenticated one. Reconfiguring the server just ensures that nobody is using an out-of-date client. – Harry Johnston Aug 15 '14 at 00:29
3

You are still potentially vulnerable unless you have configured the server to only use the newer protocol.

You can do this as follows:

  • Open the System control panel.
  • Click on "Remote settings" on the left-hand side.
  • Make sure that the "Allow connections only from computers running Remote Desktop with Network Level Authentication (more secure)" option is selected.

Once this is done, OpenVAS should no longer report the vulnerability. (At least, it worked for me.)

Harry Johnston
  • 5,875
  • 4
  • 35
  • 52