Microsoft Windows Remote Desktop Gateway contains vulnerabilities that may allow a remote, unauthenticated attacker to execute arbitrary code with SYSTEM privileges on a vulnerable system.
Microsoft Windows Remote Desktop Gateway (RD Gateway) is a Windows Server component that provides access to Remote Desktop services without requiring the client system to be present on the same network as the target system. Originally launched as Terminal Services Gateway (TS Gateway) with Windows Server 2008, RD Gateway is a recommended way to provide Remote Desktop connectivity to cloud-based systems. For example, guidance has been provided for using RD Gateway with AWS, and also with Azure. The use of RD Gateway is recommended to reduce the attack surface of Windows-based hosts.
Microsoft RD Gateway in Windows Server 2012 and later contain two vulnerabilities that can allow an unauthenticated remote attacker to execute arbitrary code with SYSTEM privileges. It is reported by Kryptos Logic that the flaws lie in handling of fragmentation. This vulnerability is exploitable by connecting to the RD Gateway service listening on UDP/3391.
By sending a specially-crafted request to a Remote Desktop Gateway server, an unauthenticated remote attacker to execute arbitrary code with SYSTEM privileges.
Disable Remote Desktop Gateway UDP transport
This document was written by Will Dormann.