Remote Desktop Protocol Server Man-in-the-Middle Weakness

medium Nessus Plugin ID 18405

Synopsis

It may be possible to get access to the remote host.

Description

The remote version of the Remote Desktop Protocol Server (Terminal Service) is vulnerable to a man-in-the-middle (MiTM) attack. The RDP client makes no effort to validate the identity of the server when setting up encryption. An attacker with the ability to intercept traffic from the RDP server can establish encryption with the client and server without being detected. A MiTM attack of this nature would allow the attacker to obtain any sensitive information transmitted, including authentication credentials.

This flaw exists because the RDP server stores a publicly known hard-coded RSA private key. Any attacker in a privileged network location can use the key for this attack.

Solution

- Force the use of SSL as a transport layer for this service if supported, or/and

- On Microsoft Windows operating systems, select the 'Allow connections only from computers running Remote Desktop with Network Level Authentication' setting if it is available.

See Also

http://www.nessus.org/u?8033da0d

Plugin Details

Severity: Medium

ID: 18405

File Name: tssvc_mim.nasl

Version: 1.34

Type: remote

Family: General

Published: 6/1/2005

Updated: 8/24/2022

Risk Information

VPR

Risk Factor: Low

Score: 2.5

CVSS v2

Risk Factor: Medium

Base Score: 5.1

Temporal Score: 3.8

Vector: AV:N/AC:H/Au:N/C:P/I:P/A:P

Temporal Vector: E:U/RL:OF/RC:C

CVSS Score Source: CVE-2005-1794

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Vulnerability Information

CPE: cpe:/a:microsoft:remote_desktop_connection, cpe:/a:microsoft:windows_terminal_services_using_rdp

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 5/28/2005

Reference Information

CVE: CVE-2005-1794

BID: 13818