- Windows 10 Pro or higher.
- RDC to be enabled (not default).
- A non-Microsoft Account to be utilised (not default).
- That local account to have no password set.
Essentially you really need to TRY to get your machine exploitable with that one.
Is exploit code out there? If not, then that's quite a leap yet for hackers. In a week or two every win10 machine in the world will have this patched. That's a very short window for what looks like to be an ugly, but tiny edge case.
This is further evidence that Win10 is far from fully cooked. We're not touching it until 2018 with preliminary testing starting in 2017. MS rushed this pretty badly after the poor reception to 8. Also further evidence that remote technologies like ssh, rdp, etc should always be wrapped in something else like VPN or at least strictly firewalled off to known good IPs. Surprises happen.
Ok. I'm glad you have a survey of every business out there.
> Is exploit code out there?
You use any non-Win10 RDP client and enter the username with the blank password.
> Also further evidence that remote technologies like ssh, rdp, etc should always be wrapped in something else like VPN or at least strictly firewalled off to known good IPs
RDP seems like a shitty remote access protocol wrt security, but VPN products are certainly worse than OpenSSH.
>You use any non-Win10 RDP client and enter the username with the blank password.
What username? What code generates the correct name? That's what I was referring to. Say there is a win10 pro machine with rdp enabled for the account 'jmpendergrast' with no password and listening to 3389 with no firewall blocking it. Wonderful, how many passess until you guess that? Where is the automation code?
Note, by default windows will not let you use a password-less account for RDP:
So that's another hurdle someone has to get through.
Also, when RDP is enabled, it default to the newer versions which don't have this bug. You need to specify legacy access as well. Another hurdle.
So let me summarize what needs to happen for this attack to work: Win10 needs RDP enabled with legacy access explicitly allowing non-NLA connections. Then Win10 needs a firewal rule for 3389 from its router or put on the internet without a NAT/Firewall. Then Win10 needs someone to make an account with a password (passwords are mandatory for rdp). Then someone needs to change the registry to allow blank passwords for a RDP user. Then that user needs to remove the password from that account. Then that user needs to be put in the RDP group.
And if a home user does this, he or she isn't using a local account they're probably using a MSN account.
This is very much an edge case here.
>RDP seems like a shitty remote access protocol wrt security, but VPN products are certainly worse than OpenSSH.
Everything sucks but FOSS right? How non-biased of you. I won't mention heartbleed and shellshock then.
That is what this bug is about. I think there is a chance that the login screen may show the usernames.
Update: reproed and confirmed how it shows the usernames, in fact in some cases it can login automatically!
Nope, but OpenSSH (not PAM) is leaps and bounds above everything else.
Almost all of your beloved VPN software was probably susceptible to heartbleed.
But mostly I've looked at software from "security" companies, and overall it's a steaming pile of shit.
It's probably not going to get popped by non-state actors. I'd say the same things about ssh & rdp in general, but rdp has had a non-trivial amount of bugs in it.
>It's probably not going to get popped by non-state actors.
Not too long ago people were making this argument but including both OpenSSL and OpenSSH. Now its just OpenSSH. Funny how that works. The reality is that layered security is a best practice and just expecting something to be perfect forever because of past performance is a very questionable premise.
I think they are referring to automated attacks.
If your business is not managing accounts over the domain via Active Directory and is individually setting up unmanaged local accounts for employees, you have far far bigger security issues than this remote desktop exploit.
And then on top of that you need RDC on a Windows 10 box to be exposed to the internet or a LAN with malicious users on it.
It is a legitimate bug that should be patched. But a miniscule subset of users will be impacted, because the pre-conditions are so niche.
Windows 10 hosts running RDP services fail to prevent remote logon to accounts that have
no passwords set.
An attacker could exploit this vulnerability by using an older version of the RDP client
to connect to the Windows 10 host. Once connected, the attacker could generate a list of
user accounts on the host and attempt to log on as those users. If one of the user
accounts has no password set, then the attacker is allowed to log on as that user,
despite the default system setting that restricts access to accounts without passwords to
local logon only.
Building complex software is hard work, so I won't judge the development team that released software this vulnerable. That said, this one seems pretty severe.
That reads to me like "RCE if you have RCE". Which I guess is a fair description of the DLL vulnerabilities if you ignore the privilege-escalation parts.
The DirectShow and (perhaps) passwordless RDP vulnerabilities seem rather more severe to me.
How is that leader quote appropriate?