LAS VEGAS -- What does a vulnerability in Microsoft's remote desktop protocol have to do with Hyper-V?
A lot, according to Check Point Software Technologies.
The cybersecurity vendor discovered that a path-traversal vulnerability it had previously discovered in RDP in February could be used as a virtual machine (VM) escape in Hyper-V Manager. The findings were presented during a session Wednesday at Black Hat 2019 titled "He Said, She Said -- Poisoned RDP Offense and Defense." Eyal Itkin, vulnerability researcher at Check Point, and Dana Baril, a security software engineer at Windows Defender ATP Research, co-presented the research.
Check Point said it hadn't considered the remote desktop protocol vulnerability as a potential threat to Hyper-V; however, the vendor said it received "numerous comments" about its RDP vulnerability report through channels such as Reddit asking if the flaws in the RDP client could affect Microsoft VMs since they shared a common technology.
"We didn't see a Hyper-V connection, and surprisingly enough, there was a big connection," said Yaniv Balmas, head of research at Check Point.
Check Point researchers, including Itkin, began taking a closer look at the path-traversal flaw in RDP and how it could be applied to Hyper-V. Balmas said the RDP vulnerability was somewhat unique. "It breaks a common misconception that if you use RDP or a similar remote connection protocol, then you're safe as long as you're making the connection," he said. "But that's not true -- if you connect to a malicious system, then with this vulnerability the malware can bounce back on to you."
Check Point found that the same was true with VMs in Hyper-V and that the RDP vulnerability allowed a guest-to-host VM escape. As a result, Balmas said, a malicious guest could exploit the RDP vulnerability, escape the VM and "bounce back" malware to the host system.
In the Black Hat session, Itkin described such an attack as "lazy lateral movement" -- instead of actively trying to connect to different systems to move through an environment, an attacker could gain control of a single system and wait for others to connect to that "poisoned RDP" client to infect them and harvest their credentials.
The common thread between RDP and Hyper-V
The researchers discovered that Microsoft uses RDP "behind the scenes" for Hyper-V's control plane, according to the research paper from Itkin and Baril. "Instead of re-implementing screen-sharing, remote keyboard and a synchronized clipboard, Microsoft decided that all of these features are already implemented as part of RDP, so why not use it in this case as well?" they wrote.
Yaniv BalmasHead of research, Check Point Software
Therefore, the path-traversal vulnerability, which affected clipboard synchronization in RDP clients, also affects clipboard synchronization in Hyper-V. Clipboard synchronization is available only in Hyper-V's enhanced sessions mode, but the mode is turned on by default in Windows 10.
The software giant initially declined to patch the RDP vulnerability in February, saying the "finding is valid but does not meet our bar for servicing." However, Balmas said that after demonstrating to Microsoft that the flaw could be used against Hyper-V, Microsoft issued a patch in last month's Patch Tuesday. "I think the Hyper-V connection also surprised Microsoft, and when they learned about it, they acted quickly," he said.
Balmas recommended that enterprises using Hyper-V patch the RDP vulnerability or at least disable the clipboard synchronization function, which would prevent users from copying and pasting data from VMs. Because Hyper-V relies on RDP for its control interface, organizations can't simply disable RDP without also impeding Hyper-V's interface.
Baril also developed a detection method within Windows Defender ATP that can alert organizations about possible exploitations of the RDP vulnerability. She used Windows 10 telemetry data to detect anomalous activity in RDP, such as multiple files being copied in a short period of time. "A patch is not enough because the user is still vulnerable until they install the patch," she said.
RDP vulnerabilities and attacks have become a growing concern for the infosec community in recent years. In 2018, the FBI and the Department of Homeland Security issued a joint security advisory that warned threat actors were "increasingly" exploiting vulnerabilities in RDP. In May, Microsoft patched a critical RDP flaw, dubbed BlueKeep, which allows remote code execution on vulnerable systems. "I'm guessing there could be more vulnerabilities like this one in RDP, which is a big risk," Balmas said.