Remote Desktop Protocol Vulnerability Exposes Persistent Access Risks
Recent findings highlight a significant vulnerability within Windows Remote Desktop Protocol (RDP) that allows users to log in even with revoked passwords. This issue becomes particularly concerning when a Windows machine uses a Microsoft or Azure account to facilitate remote desktop access. The existing setup permits users to authenticate via a unique password verified against locally stored credentials, or by using the same online account credentials employed during the initial sign-in.
Wade, a cybersecurity expert, indicates that even after an account password is changed, the older version remains valid for RDP sessions indefinitely. Alarmingly, multiple previous passwords can succeed while the latest ones fail, reinforcing the potential for unauthorized access. This persistent access undermines security measures such as cloud verification, multi-factor authentication, and Conditional Access protocols, leaving sensitive systems exposed.
Experts warn that this behavior poses significant risks, especially when Microsoft or Azure accounts are compromised—as in cases where credentials have been leaked online. Typically, changing a password should prevent any unauthorized access to sensitive resources. However, even after such a change, the outdated credentials can still grant adversaries RDP access to the user’s machine, essentially creating a covert backdoor. Wade describes this issue as "a silent remote backdoor into any system where the password was ever cached," highlighting that Windows continues to trust previously valid passwords.
Will Dormann, a senior vulnerability analyst, emphasized the lack of security logic behind this phenomenon. He articulated that system administrators would logically expect old credentials to become ineffective upon password changes, which is not the case in this context.
The primary factor enabling this vulnerability is credential caching on the local machine’s hard drive. When a user logs in for the first time with Microsoft or Azure account credentials, RDP authenticates the password online and subsequently stores a cryptographically secured version on the system. Moving forward, any password entered during an RDP login is validated against these locally cached credentials, eliminating the need for online verification. This process enables the use of revoked passwords for unauthorized remote access.
Given the potential ramifications, business owners must remain vigilant regarding RDP configurations and their associated security protocols. Understanding the tactics utilized in such incidents can provide critical insight into mitigating risks. Persistent access, as demonstrated in this scenario, aligns with several techniques outlined in the MITRE ATT&CK framework, including persistence and initial access.
In summary, the enduring validity of older RDP credentials highlights a pressing security concern that could be exploited by malicious actors. Business leaders must reevaluate their cybersecurity posture and ensure robust monitoring and patching measures are in place to address these pervasive vulnerabilities. The gravity of these findings underscores the need for immediate action to safeguard sensitive information against potential threats posed by compromised accounts.
