Schadenfreude is a wonderful feeling, but when it comes to information security, we must always remember that we live in glass houses. Over the past few months, as vulnerabilities have been rampantly exploited in SSL VPN products like those from Pulse, Fortinet and Citrix; I found myself deriving some enjoyment. Karma of course, was on its way.

Microsoft patched two vulnerabilities, dubbed BlueGate, as part of the January Patch cycle. These vulnerabilities are pre-authentication Remote Code Execution (RCE) rated. The vulnerabilities could allow remote code execution when an unauthenticated attacker connects to a target system using RDP and sends specially crafted requests. MFA will not protect you from this vulnerability. These vulnerabilities can be found in Windows Server 2012, 2012R2, 2016 and 2019.

Considering that RDP Gateway servers typically exist to provide a mechanism for users outside of to access trusted internal systems, exploiting this vulnerability could potentially provide network wide access to an attacker.

Security researcher Ollypwn has released proof-of-concept (PoC) that results in a denial of service (DoS). Luca Marcelli has also released a video showing a working RCE exploit.

Thankfully there is a small glimpse of hope. The vulnerability only affects the UDP transport (port 3391) option of the RDP Gateway components. Depending upon the configuration, administrators may have only exposed the HTTPS transport to the Internet. One potential mitigation, if patching is not an option, is to disable or block the UDP transport.

If you run RDP Gateways, please work to ensure that you patch or disable the UDP transport as quickly as possible. As with the Shitrix or SSL VPN vulnerabilities, once RCE exploit code is released, I expect attackers to include this in their ransomware toolkit much as they have.