This week, CyberArk researchers shared technical information about a named pipe RDP (Remote Desktop Protocol) vulnerability in Windows, for which Microsoft had to release two patches.
The RCE vulnerability CVE-2022-21893 was fixed on January 2022 Patch Tuesday, but the attack vector was not fixed. In April 2022, Microsoft already fixed the new bug CVE-2022-24533.
Let me remind you that we wrote that Sarwent malware opens RDP ports on infected machines, and also that Information Security Specialists Discovered a 0-day Vulnerability in Windows Search.
CVE-2022-21893 is a Windows Remote Desktop Services (RDS) vulnerability that could allow an unprivileged user via RDP to access the file system of connected users’ devices.
The vulnerability allows an attacker to view and modify the contents of the clipboard, sent files, and smart card PINs. An attacker can impersonate a logged in user and gain access to the victim’s connected devices (USB devices, hard drives, etc.).
According to the researchers, the vulnerability exists due to improper handling of RDS named pipe permissions, which allows a user with normal privileges to “hijack RDP virtual channels in other connected sessions.”
Microsoft changed the permissions on pipes and prevented the regular user from creating named pipe servers. However, this did not remove the user’s ability to set permissions for subsequent instances. After the April fix, a new Globally Unique Identifier (GUID) is generated for new channels that prevents an attacker from predicting the name of the next channel.
At the moment, there are no vulnerabilities, and users are safe. Experts recommended updating the service to the latest version to ensure data protection.
