Title

Microsoft Remote Desktop Connection Client Remote Code Execution Vulnerability (Cat II impact)

Discussion

Microsoft has released a security bulletin addressing a vulnerability affecting Microsoft Windows Remote Desktop Client. To exploit this vulnerability, an attacker would entice a user to open a legitimate Remote Desktop configuration file (.rdp) that is located in the same network directory as a malicious dynamic link library (DLL) file. If successfully exploited, this vulnerability would allow an attacker to execute arbitrary code. At this time, there are known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents. Remote Desktop Insecure Library Loading Vulnerability - (CVE-2011-0029): A remote code execution vulnerability exists in the way that Windows Remote Desktop Client handles the loading of DLL files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Check Content

See IAVM notice and vendor bulletin for additional information. Microsoft Bulletin MS11-017 (2508062). Vulnerable Applications/Systems: Remote Desktop Connection 5.2 Client Windows XP SP3 Remote Desktop Connection 6.0 Client Windows XP Professional x64 Edition SP2 Windows Server 2003 SP2 (x86, x64) Remote Desktop Connection 6.0 Client Multilingual User Interface Windows Server 2003 SP2 x86 Remote Desktop Connection 6.1 Client Windows XP SP3 Windows Vista SP1 and SP2 (x86 and x64) Windows Server 2008 and Windows Server 2008 SP2 (x86**, x64**, and Itanium) Remote Desktop Connection 7.0 Client Windows XP SP3 Windows Vista SP1 and SP2 (x86 and x64) Windows 7 (x86 and x64) Windows Server 2008 R2 (x64** and Itanium) **Server Core installation not affected. Verify that the patch has been installed by checking that the following sample file is at the version indicated or later. See the vendor bulletin for additional information and any Vulnerable Systems/Applications not listed below. 2k3mstsc.exe (Remote Desktop Connection 5.2 Client) Windows XP SP3 – 5.2.3790.4807 Mstsc.exe (Remote Desktop Connection 6.0 and Remote Desktop Connection 6.1 Client) Windows XP SP3 – 6.0.6001.18589 or 22840 Windows XP SP2 x64 – 6.0.6001.18564 or 22815 Windows 2003 SP2 – 6.0.6001.18564 or 22815 Windows Vista SP1 / 2008 – 6.0.6001.18564 or 22815 Windows Vista SP2 / 2008 SP2 – 6.0.6002.18356 or 22550 Mstsc.exe (Remote Desktop Connection 7.0 Client) Windows XP SP3 – 6.1.7600.16722 or 20861 Windows Vista – 6.1.7600.16722 or 20861 Windows 7 / 2008 R2 – 6.1.7600.16722 or 20861

Fix Text

Additional Identifiers

Rule ID:

Vulnerability ID: V-26091

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.