{"vuid":"VU#624051","idnumber":"624051","name":"Microsoft Remote Desktop Protocol (RDP) insecurely deallocates memory","keywords":["MS12-020","ZDI-12-044","double-free","CWE-415","MEM31-C","2671387"],"overview":"The Microsoft Remote Desktop Protocol (RDP) service contains a double-free vulnerability that could allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.","clean_desc":"The Microsoft Remote Desktop Protocol (RDP) provides a remote graphical interface to Microsoft Windows systems. Microsoft Security Bulletin MS12-020 describes a remote code execution vulnerability in the RDP service. TippingPoint Zero Day Initiative advisory ZDI-12-044 indicates the vulnerability is caused by a double-free condition that occurs when RDP handles an error and aborts a connection. MS12-020 also describes a denial-of-service vulnerability (CVE-2012-0152).","impact":"A remote, unauthenticated attacker could execute arbitrary code with the privileges of the RDP driver, effectively taking complete control of a vulnerable system.","resolution":"Apply an update Apply the appropriate updates as described in MS12-020.","workarounds":"Enable Network Level Authentication (NLA) NLA requires authentication before a remote desktop session is created. This means an attacker would have to successfully authenticate before exploiting the double-free vulnerability. Note that Windows Server 2003 does not support NLA cannot connect to a Remote Desktop service that requires NLA. For more information, see Configure Network Level Authentication for Remote Desktop Services Connections. Authenticate RDP connections using independent protocols Use other secure network protocols to authenticate users before allowing RDP connections. Microsoft provides KB articles that describe how to use IPsec to secure RDP connections on Windows 2000 and Windows Server 2003. Many types of VPN can be used to authenticate users, and RDP traffic can be tunneled over SSH if an SSH daemon is installed on the RDP server. Change RDP listening port Changing the listening port used by RDP (3389/tcp) will not protect against attacks, but may hide RDP servers from scanning that targets the default port. See How to change the listening port for Remote Desktop. Restrict access Restrict RDP server access to trusted hosts and networks.","sysaffected":"","thanks":"Microsoft credits Luigi Auriemma, via TippingPoint's Zero Day Initiative.","author":"This document was written by Art Manion based on information from MS12-020 and ZDI-12-044.","public":["http://technet.microsoft.com/en-us/security/bulletin/ms12-020","http://aluigi.org/adv/termdd_1-adv.txt","http://www.zerodayinitiative.com/advisories/ZDI-12-044/","http://blogs.technet.com/b/srd/archive/2012/03/13/cve-2012-0002-a-closer-look-at-ms12-020-s-critical-issue.aspx","http://msdn.microsoft.com/en-us/library/aa383015(v=VS.85).aspx","http://technet.microsoft.com/en-us/library/cc732713.aspx","http://support.microsoft.com/kb/315055","http://support.microsoft.com/kb/816521","http://support.microsoft.com/kb/306759","https://www.securecoding.cert.org/confluence/display/seccode/MEM31-C.+Free+dynamically+allocated+memory+exactly+once","http://cwe.mitre.org/data/definitions/415.html","http://aluigi.org/adv/ms12-020_leak.txt"],"cveids":["CVE-2012-0002","CVE-2012-0152"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2012-03-08T18:55:48Z","publicdate":"2012-03-13T00:00:00Z","datefirstpublished":"2012-03-16T03:48:07Z","dateupdated":"2015-09-17T20:32:51Z","revision":25,"vrda_d1_directreport":"1","vrda_d1_population":"3","vrda_d1_impact":"3","cam_widelyknown":"15","cam_exploitation":"6","cam_internetinfrastructure":"5","cam_population":"15","cam_impact":"20","cam_easeofexploitation":"7","cam_attackeraccessrequired":"12","cam_scorecurrent":"12.285","cam_scorecurrentwidelyknown":"14.6475","cam_scorecurrentwidelyknownexploited":"21.2625","ipprotocol":"tcp","cvss_accessvector":"N","cvss_accesscomplexity":"L","cvss_authentication":null,"cvss_confidentialityimpact":"C","cvss_integrityimpact":"C","cvss_availabilityimpact":"C","cvss_exploitablity":null,"cvss_remediationlevel":"OF","cvss_reportconfidence":"C","cvss_collateraldamagepotential":"ND","cvss_targetdistribution":"M","cvss_securityrequirementscr":"ND","cvss_securityrequirementsir":"ND","cvss_securityrequirementsar":"ND","cvss_basescore":"10","cvss_basevector":"AV:N/AC:L/Au:N/C:C/I:C/A:C","cvss_temporalscore":"7.8","cvss_environmentalscore":"5.86926702432","cvss_environmentalvector":"CDP:ND/TD:M/CR:ND/IR:ND/AR:ND","metric":12.285,"vulnote":null}