This week, researchers from CyberArk shared technical information about the vulnerability of the named RDP (Remote Desktop Protocol) channel in Windows, for which Microsoft had to release two patch packages. RCE vulnerability CVE-2022-21893
it was fixed on the January 2022 patch Tuesday, but the attack vector was not fixed. In April 2022, Microsoft has already fixed a new bug CVE-2022-24533.
CVE-2022-21893 is a vulnerability of the Windows Remote Desktop Service (Remote Desktop Services, RDS), which can allow an unprivileged user through RDP to access the file system of devices of connected users.
The vulnerability allows an attacker to view and modify the contents of the clipboard, sent files and smart card PIN codes. An attacker can impersonate a logged-in user and gain access to the victim’s connected devices (USB devices, hard drives, etc.). “This can lead to leakage of confidential data, lateral movement and elevation of privileges”, — noted CyberArk.
According to the researchers, the vulnerability exists due to incorrect processing of permissions of named RDS channels, which allows a user with normal privileges “intercept virtual RDP channels in other connected sessions.”
“A named channel allowed each user in the system to create additional channel servers with the same name”, — CyberArk explained. Microsoft has changed the channel access rights and banned a regular user from creating named channel servers. However, this did not eliminate the user’s ability to set permissions for subsequent instances. After the April fix, a new unique GUID (Globally Unique Identifier) is created for new channels, which does not allow an attacker to predict the name of the next channel.
At the moment, there are no vulnerabilities, and users are safe. Experts recommended updating the service to the latest version to ensure data protection.