VMware View Desktops and MS12-020 = Potential Troubles

Assuming you have created a VMware View Desktops Pool, the end result will be that RDP is enabled on the View Desktops. [1]

In the context of MS12-020 [2][3], this means potential trouble especially when PoC is already available. It does not matter they are no directly accessible from the Internet, a worm targeting MS12-020 downloaded by one user on its virtual desktop could impact all the View Desktops local to it.

Even if you take the measure described in [1], I did not test so I’m not sure, I think the exploit still works.

So if you did not do it so far, make sure you install the MS12-020 patch on all your View Desktops. If you use Linked-Clone Desktops, patch the parent virtual machine, take a snapshot and recompose the Linked-Clone Desktops.

Alternatively, if for some reasons you can't apply the patch yet and if you’ve deployed vShield App, you can filter (deny) inside the port group were virtual desktops are located; add a deny rule for the RDP application selecting as both source and destination the port group while direction being inside for both of them.

References

[1] Prevent Access to View Desktops Through RDP
http://pubs.vmware.com/view-50/index.jsp?topic=/com.vmware.view.administration.doc/GUID-E9B84CCB-F0D5-4198-B986-2B46AD589452.html

[2] Why We Rated the MS12-020 Issue with RDP "Patch Now"
http://isc.sans.org/diary/Why+We+Rated+the+MS12-020+Issue+with+RDP+Patch+Now+/12781

[3]MS12-020 RDP vulnerabilities: Patch, Mitigate, Detect
http://isc.sans.org/diary/MS12-020+RDP+vulnerabilities+Patch+Mitigate+Detect/12808

[4] Proof-of-Concept Code available for MS12-020
http://blogs.technet.com/b/msrc/archive/2012/03/16/proof-of-concept-code-available-for-ms12-020.aspx

Comments are closed