search menu icon-carat-right cmu-wordmark

CERT Coordination Center


Microsoft Windows Remote Desktop Protocol service input validation vulnerability

Vulnerability Note VU#490628

Original Release Date: 2005-08-09 | Last Revised: 2005-09-06

Overview

An input validation error in the Microsoft Remote Desktop Protocol (RDP) service may allow a remote attacker to cause a denial-of-service condition.

Description

Microsoft describes the Remote Desktop Protocol (RDP) as follows.

RDP is based on, and is an extension of, the T.120 protocol family standards. It is a multichannel-capable protocol that allows for separate virtual channels for carrying device communication and presentation data from the server, as well as encrypted client mouse and keyboard data.
The Microsoft RDP service contains an input validation error that can be exploited to cause a denial-of-service condition. A remote attacker may be able to exploit this vulnerability by sending a system running the RDP service a specially crafted message on port 3389/tcp. Note note that the Microsoft Firewall will allow RDP traffic to enter a system by default.

The RDP service is not enabled by default on Microsoft Windows, but may be enabled if the following components are installed and running:

    • Microsoft Terminal Services
    • Microsoft Remote Desktop
    • Microsoft Remote Assistance
    • Windows Small Business Server 2003 Remote Web Workplace
Note that exploit code for this vulnerability is publicly available. For more information regarding this issue, please refer to MS05-041.

Impact

This vulnerability allows unauthorized, remote attackers to crash a system running the RDP service resulting in a denial-of-service condition.

Solution

Apply An Update

Microsoft has addressed this issue in Microsoft Security Bulletin MS05-041.

Microsoft recommends the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors.


Disable Terminal Services, Remote Desktop, Remote Assistance, and Windows Small Business Server 2003 Remote Web Workplace feature.

Disabling Terminal Services, Remote Desktop, Remote Assistance, and Windows Small Business Server 2003 Remote Web Workplace may reduce the risk of exploitation.

Block port 3389/tcp at the perimeter:

Port 3389/tcp is the port used by RDP. Blocking access to this port from untrusted sources may reduce the risk of exploitation. It may also be necessary to block port 4125/tcp which is used by Windows Small Business Server 2003 for RDP connections.

Vendor Information

490628
Expand all

Microsoft Corporation

Updated:  August 09, 2005

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see http://www.microsoft.com/technet/security/bulletin/MS05-041.mspx.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Credit

This vulnerability was reported in Microsoft Security Bulletin MS05-041 . Microsoft credits Tom Ferris of Security Protocols for providing information regarding this vulnerability.

This document was written by Jeff Gennari and Will Dorman

Other Information

CVE IDs: CVE-2005-1218
Severity Metric: 16.12
Date Public: 2005-07-14
Date First Published: 2005-08-09
Date Last Updated: 2005-09-06 15:10 UTC
Document Revision: 65

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.