Security – openVAS – Microsoft RDP Server Private Key Information Disclosure Vulnerability – false Alarm

openvasrdpSecurityvulnerabilitieswindows-server-2008-r2

I performed a openVAS scan on a Windows Server 2008 R2 and got a report for a high threat level vulnerability called Microsoft RDP Server Private Key Information Disclosure Vulnerability. An remote attacker could perform a man-in-the-middle attack to gain access to a RDP session.

Affected Software is Microsoft RDP 5.2 and below.
My server uses RDP 7.1, is this alarm a false alarm?

Security Advisor Pages say: Solution Status Unpatched, No remedy…

References
http://secunia.com/advisories/15605/
http://xforce.iss.net/xforce/xfdb/21954/
http://www.oxid.it/downloads/rdp-gbu.pdf
CVE: CVE-2005-1794
BID:13818

Best Answer

You are still potentially vulnerable unless you have configured the server to only use the newer protocol.

You can do this as follows:

Open the System control panel.
Click on "Remote settings" on the left-hand side.
Make sure that the "Allow connections only from computers running Remote Desktop with Network Level Authentication (more secure)" option is selected.

Once this is done, OpenVAS should no longer report the vulnerability. (At least, it worked for me.)

Yes

The "Create Certificate Request" Wizard automatically generates a new key pair.

In IIS Server Certificates, I am never asked to generate nor pick a private key.

This is actually not true - the wizard is just not super obvious about it.

When you've entered the identity information (Common Name, Locality, Organization etc.) and hit "Next", the second screen asks for 2 things:

A Cryptographic Service Provider (CSP)
A Bit-length

enter image description here

Choosing the default CSP - the Microsoft RSA SChannel CSP - and a Bit Length of 2048 would be the Windows equivalent to:

openssl req -new -newkey rsa:2048

Anatomy of a Signing Request

The CSR itself can be thought of as having 3 "parts":

Identity information in clear text (CN, Locality, Org. etc.)
- This is simply strings, the signatory (the CA) can alter those at will
The Public Key
- You'll need the corresponding private key on your server
Optional extension fields
- Still just clear text information

The Issuer reviews the information in the signing request, an may alter the contents of both (1) and (3).
The Issuer then uses it's CA private key to encrypt the requesters public key (2).

When the final Certificate is issued it contains:

Identity information in clear text (CN, Locality, Org. etc.)
- Now with Issuer information added
The Public Key
- Still the same as above
Optional extension fields
- Now maybe with Issuer extension fields
A Signature blob
- This is the Public key signed with the CA's private key

Now, the next time a client get's your certificate presented, it can use the Issuer CA's public key to decrypt the signature blob (4) and compare it to the public key in the certificate

Best Answer

Related Solutions

Security – IIS 6.0 PCI Compliance – “Information Disclosure Vulnerability”

Ssl – Does generating a CSR through IIS 7.5 on Windows Server 2008 R2 always create a new private key

Yes

Anatomy of a Signing Request

Related Topic