4/15/03
All versions of RDP allow terminal sessions to be encrypted.
However, two flaws are known to exist in the encryption
implementation which could allow an attacker to recover
the original plaintext session, and thus view sensitive
information. Firstly, the RDP client accepts the public
key sent to it by the server without any verification, leaving
it susceptible to a man-in-the-middle attack. An attacker
who is able to perform DNS spoofing or arp poisoning could
act as a relay during the session's initial key exchange,
leading to the ability to decrypt the entire session.
9/19/02
CAN 2002-0863
Secondly, the implementation of RDP in Windows 2000 and XP
sends checksums generated from plaintext session data over
the network unencrypted. These checksums could allow an
attacker who is able to capture network traffic to recover
the original plaintext session.
9/19/02
10/26/01
CVE 2001-0663
CAN 2002-0864
Due to improper handling of a certain sequence of malformed RDP data,
a remote attacker could
cause the server to fail. The server would then need to
be rebooted in order to resume normal operation. The attacker
would not need to successfully establish a session with
the server in order to exploit the vulnerability.
Windows XP with Remote Desktop enabled is affected by this vulnerability. Terminal servers running on either Windows NT 4.0 or Windows 2000 are affected by a similar but unrelated vulnerability.
10/26/01
CVE 2001-0716
Citrix MetaFrame works with Windows terminal services to provide
application server capabilities. Due to improper handling of
multiple sessions by Citrix MetaFrame, it is possible for a remote
attacker to crash the server by initiating a large number of
fake sessions with the server, waiting for them to time out,
and then initiating another new session. The server would then
need to be rebooted in order to resume normal operation. The attacker
would not need access to an account on the system in order to
exploit the vulnerability.
Citrix MetaFrame 1.8 Server with Service Pack 3, Citrix MetaFrame XP Server, and Citrix MetaFrame XP Server with Service Pack 1 are affected by this vulnerability.
CVE 2000-1149
A buffer overflow in the code that handles the terminal
server's login prompt could allow a remote attacker to
execute arbitrary code without logging in. This could
allow the attacker to
read, modify, or delete files, or upload programs and
run them.
Windows NT 4.0 Terminal Server is affected by this vulnerability, unless the patch has been applied.
For Windows NT 4.0 Terminal Server Edition, apply the patches referenced in Microsoft Security Bulletins 00-087 and 01-052.
For Windows 2000, apply the patches referenced in Microsoft Security Bulletin 01-052 and 02-051.
For Windows XP, apply the patch referenced in Microsoft Security Bulletin 02-051.
For Citrix MetaFrame, download a hotfix from the Citrix Solution Knowledge Base, under Hotfixes.
It is also a good idea to filter TCP port 3389 at the firewall or router, such that only connections from legitimate users will be accepted.
For more information on the Citrix MetaFrame vulnerability, see the X-Force Security Alert.