Microsoft Patches, Reverse RDP Attacks, and Third-Party Clients

What is happening

• Microsoft’s Remote Desktop Protocol (RDP) is a technology built into Windows systems that is plagued by several security flaws.
• Although a prominent vulnerability (CVE-2019-0887) was patched in July 2019, it has been found that the researchers could still exploit it by replacing the backward slashes in paths with forward slashes. 
• This exploit was acknowledged by Microsoft and fixed earlier this year. The vulnerability is now tracked as CVE-2020-0655. 

The situation

• Researchers disclosed that the issue was resolved by adding a separate workaround in Windows while the root cause of the bypass issue was left unchanged.
• Researchers claimed that the patch is not foolproof and does not guarantee the protection of third-party clients against the same attack.
• When using the clipboard redirection feature while connected to a compromised RDP server, the server can use the shared RDP clipboard to send files to the client's computer and achieve remote code execution.

What the experts are saying

• Check Point researchers have stated, “A remote malware-infected computer could take over any client that tries to connect to it”.
• It has been discovered that apart from bypassing Microsoft’s patch, threat actors can bypass any canonicalization check that was carried out as per Microsoft’s best practices.

What you can do

• Organizations that use Windows should install the February patch released by Microsoft to ensure that their RDP clients are protected from reverse RDP attacks.
• Developers should be aware of the threat posed by the unchanged API PathCchCanonicalize and manually patch it.

Worth noting

• This year has seen a tremendous surge in RDP attacks, with the onset of the COVID-19 pandemic, where one of the most commonly used application-level protocol is Microsoft’s proprietary RDP protocol.
• The TrickBot malware upgraded itself by adding a feature - rdpScanDll - for brute-forcing RDP accounts.

In essence