Microsoft Windows Remote Desktop Protocol Server Man-in-the-Middle Weakness

Medium Nessus Plugin ID 18405


It may be possible to get access to the remote host.


The remote version of the Remote Desktop Protocol Server (Terminal
Service) is vulnerable to a man-in-the-middle (MiTM) attack. The RDP
client makes no effort to validate the identity of the server when
setting up encryption. An attacker with the ability to intercept
traffic from the RDP server can establish encryption with the client
and server without being detected. A MiTM attack of this nature would
allow the attacker to obtain any sensitive information transmitted,
including authentication credentials.

This flaw exists because the RDP server stores a hard-coded RSA
private key in the mstlsapi.dll library. Any local user with
access to this file (on any Windows system) can retrieve the
key and use it for this attack.


- Force the use of SSL as a transport layer for this service if
supported, or/and

- Select the 'Allow connections only from computers running Remote
Desktop with Network Level Authentication' setting if it is available.

See Also

Plugin Details

Severity: Medium

ID: 18405

File Name: tssvc_mim.nasl

Version: 1.31

Type: remote

Agent: windows

Family: Windows

Published: 2005/06/01

Modified: 2018/08/01

Dependencies: 27507, 10940, 58453, 30218

Risk Information

Risk Factor: Medium

CVSS v2.0

Base Score: 5.1

Temporal Score: 3.8

Vector: CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:U/RL:OF/RC:C

Vulnerability Information

CPE: cpe:/a:microsoft:remote_desktop_connection, cpe:/a:microsoft:windows_terminal_services_using_rdp

Exploit Available: false

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 2005/05/28

Reference Information

CVE: CVE-2005-1794

BID: 13818