Windows RDP Vulnerability (CVE-2015-2472, MS15-082)

A few days ago, reports emerged of a strange issue—occasionally, connections to “Remote Desktop” via the RDP protocol became impossible, only to resolve themselves after a certain period.

If you run nmap at the time RDP is unavailable, you might see the blocking of port 3389/tcp, which is used for RDP connections. During this time, the firewall on the server is turned off, and traffic filtering on the network equipment is excluded:

Starting Nmap 5.51 ( http://nmap.org ) at 2015-08-12 19:16 EEST
Nmap scan report for XXXXXX (aa.bb.cc.dd)
Host is up (0.00047s latency).
Not shown: 991 filtered ports
PORT     STATE  SERVICE
135/tcp  open   msrpc
139/tcp  open   netbios-ssn
445/tcp  open   microsoft-ds
1025/tcp open   NFS-or-IIS
1026/tcp open   LSA-or-nterm
1027/tcp open   IIS
1028/tcp open   unknown
1029/tcp open   ms-lsa
3389/tcp closed ms-term-serv

Unfortunately, the exact cause of such issues is currently unknown, but attention should be drawn to the security bulletin published on August 11, 2015, Microsoft Security Bulletin MS15-082 — Important, which included a security update for various Windows systems related to a vulnerability in the RDP protocol implementation.

According to the vulnerability description, an attacker can execute arbitrary code on a remote system by creating an RDP connection with specific parameters. The vulnerability noted in MS15-082 is categorized as important; however, there is currently no additional information regarding this issue.

It is also worth noting the announcement of CVE-2015-2472. The vulnerability identifier is currently reserved, but full information regarding the issue will be published later. Some information is also available on SecurityLab.ru.

This vulnerability and its associated effects are also actively discussed on the Microsoft technical support forum.

We recommend taking this potentially serious vulnerability seriously. It is essential to apply the latest patches, consider changing the RDP port to a non-standard one (don’t forget to add a rule in Windows Firewall!), and enhance security measures—such as allowing connections to your server only from trusted IP addresses.