LAS VEGAS – A path-traversal vulnerability in Microsoft’s Remote Desktop Protocol (RDP) leaves unpatched Azure customers open to attack. The flaw could allow for a virtual machine (VM) escape in Microsoft’s Hyper-V Manager, part of its Azure cloud platform.
Researchers with Check Point at a Wednesday Black Hat USA 2019 session detailed the medium-level vulnerability (CVE-2019-0887), which was patched last month in Microsoft’s July Patch Tuesday update. The flaw impacts Microsoft’s Hyper-V tool: A virtualization technology that is used in Microsoft’s Azure cloud and is offered as a virtualization product on top of the Windows 10 operating system.
“Now that there is a patch for the path-traversal vulnerability, we highly recommend all users to install the patch to protect both their RDP connections and their Hyper-V environment,” researchers urged. “While it was hard for any security researcher to miss Microsoft’s effort to test and improve the security of its Hyper-V technology, we can learn an important lesson from this research. As the saying goes: your system is only as strong as its weakest link. In other words, by depending on other software libraries, Hyper-V Manager inherits all of the security vulnerability that are found in RDP, and in any other software library that it uses.”
The flaw was initially found in February to impact Windows system, when researchers found it affecting all versions of Windows from Windows 7 to 10, and Windows Server 2008 to 2019. However, researchers said that Microsoft did not move forward with a CVE and patch until after they discovered its impact extended to Hyper V.
The initial flaw stemmed from a malicious RDP server’s ability to send a crafted file to transfer clipboard content that will cause a path traversal on the client’s machine. That’s because clipboard redirection is handled in a way where malicious files are not sanitized.
It requires an attacker to have access to an Remote Desktop Services (RDS) server; when a victim connects to that server, a malicious server can send a crafted file transfer clipboard content that will cause a path-traversal on the client’s machine.
That means an attacker who successfully exploits this vulnerability could execute arbitrary code on virtual machines; an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights, researchers said.
After disclosing the initial vulnerability for Windows machines, researchers said they received numerous comments regarding whether the flaws in Microsoft’s RDP client could impact its Hyper-V product. That’s because Hyper-V uses “enhanced sessions,” which essentially offers users an extended functionality that includes the same clipboard synchronization process between the guest and the host that is utilized in Windows systems.
Researchers had found the path-traversal vulnerability in the clipboard synchronization implemented by Microsoft’s RDP client; they found that they were able to run a Hyper-V guest-to-host VM escape over the control interface, using the same RDP vulnerability.
“While it was hard for any security researcher to miss Microsoft’s effort to test and improve the security of its Hyper-V technology, we can learn an important lesson from this research,” said the analysts. “As the saying goes: Your system is only as strong as its weakest link. In other words, by depending on other software libraries, Hyper-V Manager inherits all of the security vulnerability that are found in RDP, and in any other software library that it uses.”
Black Hat USA 2019 has kicked off this week in Las Vegas. For more Threatpost breaking news, stories and videos from Black Hat and DEF CON, click here.
