cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
ITProJeff
Newcomer II

Cybersecurity Insurance denied due to RDS Gateway

I recently had a client get denied Cybersecurity Insurance due to their RDS Gateway being exposed to the internet (this is RDS Gateway on port 443/3391, not Remote Desktop port 3389). Their claim was that "Current threat actor activity on the internet is focusing on targeting this technology to deploy ransomware and other malware." We had GeoIP filtering restricting access to USA only, MFA, and a brute-force detection/IP blocking software installed. Their only solution was to put it behind a VPN or disable it altogether. We're currently pressing them to find out if that's also required for Citrix Netscaler or VMWare Horizon since they're exposed to the internet as well and can (and have) had vulnerabilities. 

 

I have not heard of any "threat actor activity" actively exploiting RDS Gateway and am wondering if the new standard is not exposing it to the internet and I missed that? Is everyone else putting it behind a VPN and praying for no or low vulnerabilities on that?

13 Replies
KPA
Viewer II

I agree - VPN is being phased out by many organizations. Attacks do come from remote users over the IPSEC tunnel - I have seen that happen to companies we have assisted.

 

Anyhow, SASE is good for securing RDP. Azure App Proxy and TruGrid SecureRDP are two good products for securing RD Gateway.

 

Peter

chozn
Viewer

@ITProJeffCould CVE-2020-610 be what they were thinking about? "A remote code execution vulnerability exists in Windows Remote Desktop Gateway (RD Gateway) when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would need to send a specially crafted request to the target systems RD Gateway via RDP. The update addresses the vulnerability by correcting how RD Gateway handles connection requests."

denbesten
Community Champion


@choznwrote:

@ITProJeffCould CVE-2020-610 be what they were thinking about?


CVE-2020-610 was mitigated with routine monthly patches in Jan 2020. If the single vulnerability were the target of concern, I would think the finding would have been "failure to promptly apply patches", not "we hate RDP gateway".

KPA
Viewer II

 

Zero Trust solution is the way to go nowadays for accessing RDS / RDP or VDI over the internet. More below.

 

We hear more and more about Cybersecurity Insurance companies denying coverage due to RD Gateway / RD Web over TCP 443 (HTTPS), even with 2FA. The reasons vary, but they all center around known attacks against these solutions. Please see below two references:

 

  1. CVE-2020-0609 : A remote code execution vulnerability exists in Windows Remote Desktop Gateway (RD G...
  2. Microsoft’s Remote Desktop Web Access Vulnerability — Raxis
  3. Since you asked, similar attacks can affect most gateway technologies to VDIs - such as Citrix NetScaler. See below 8 CVEs for NetScaler: Citrix Netscaler : List of security vulnerabilities (cvedetails.com)
  4. VPN has its own issues since all remote VPN connections become an extension of the corporate network and a breach on the remote network can traverse the VPN tunnel to infect the corporate network

Popular solutions today include the following:

  1. Azure Virtual Desktop or Microsoft 365. These solutions use Azure control plane to provide cloud authentication that is separate from the resource network. Essentially, there is zero firewall exposure where your RDS / RDP servers are and users must authenticate at the Azure cloud before access is granted. Microsoft calls this "reverse connect". Unfortunately, this solution is limited to Azure Cloud
  2. Both AWS and Azure also have a solution called "Bastions" - but also limited to their respective cloud
  3. One solution that works on any cloud or datacenter is TruGrid SecureRDP. Here is a video on how it works: How TruGrid SecureRDP Works | TruGrid Help

 

All the best.