Microsoft RDP Bug Enables Data Theft, Smart-Card Hijacking

The vulnerability was patched this week in Microsoft’s set of security updates for January 2022.


Microsoft Windows systems going back to at least Windows Server 2012 R2 are affected by a vulnerability in the Remote Desktop Services protocol that gives attackers, connected to a remote system via RDP, a way to gain file system access on the machines of other connected users.

Threat actors that exploit the flaw can view and modify clipboard data or impersonate the identities of other users logged in to the machine in order to escalate privileges or to move laterally on the network, researchers from CyberArk discovered recently. They reported the issue to Microsoft, which issued a patch for the flaw (CVE-2022-21893) in its security update for January this Tuesday.

Microsoft’s RDP allows users to access and control a Windows system from a remote client almost as if they were working on the system locally. Organizations use it for a variety of reasons, including enabling remote access to systems for IT help desk and support services, providing remote employees with access to an environment that mimics resources at their office, and enabling access to virtual machines in cloud environments.

In RDP, a single connection can be broken up into multiple virtual channels. Data in these channels are passed to other processes via a Windows service called “named pipes.” “Named pipes are a mechanism for communication between two processes running on a Windows machine,” says Gabriel Sztejnworcel, a software architect at CyberArk. Windows Remote Desktop Services uses named pipes to pass data — such as data in clipboards, and smart-card authentication data — between the client and remote system. Read more:

Leave a Reply

Your email address will not be published. Required fields are marked *