The Cyolo security team recently identified a significant vulnerability in the Remote Desktop Gateway. This vulnerability, tagged as CVE-2023-35332, is centered around the usage of an outdated and deprecated protocol, Datagram Transport Layer Security (DTLS) version 1.0, which presents significant security and compliance risk to organizations.
Identifying the Vulnerability
An RDP Gateway, or Remote Desktop Gateway, is a secure network tunnel used for remote connections to internal network services via the Remote Desktop Protocol (RDP). Its goal is to provide secure, encrypted access to internal resources from outside the network, without the need for a Virtual Private Network (VPN). To enhance performance, the RDP Gateway provides support for the User Datagram Protocol (UDP), which is designed to improve the speed of data transmission by avoiding the overhead of error-checking processes. However, this same protocol introduces the vulnerability that has now come to light.
When operating normally, the RDP Gateway protocol creates a primary secure channel over Transport Control Protocol (TCP), utilizing Transport Layer Security (TLS) version 1.2, a standard protocol for providing communication security. Subsequently, a secondary channel is established over UDP, employing DTLS 1.0. Notably, due to known vulnerabilities and security risks, this specific version of DTLS has been officially deprecated since March 2021, according to RFC 8996.
Why This Vulnerability is Dangerous
This RDP Gateway vulnerability presents both a substantial security risk and a significant compliance issue. The use of deprecated and outdated security protocols, such as DTLS 1.0, may lead to inadvertent non-compliance with industry standards and regulations such as SOC 2, FEDRAMP, PCI DSS, HIPAA, and others. Many organizations may unknowingly be in breach of their compliance requirements due to this issue, leaving them open not just to security threats but also to potential legal disputes and hefty fines.
Potential Solutions and Workarounds
Update your RDP Gateway Server: Microsoft has issued a fix release for this vulnerability. All organizations are strongly encouraged to update their RDP Gateway server with the latest Microsoft Fix Release. This update provides necessary patches to secure your RDP Gateway server, thereby addressing the identified vulnerability associated with DTLS 1.0 usage.
Disable UDP Support: In cases where an immediate update is not possible, an effective workaround is to disable UDP support in the RDP Gateway. This will prevent the establishment of the secondary channel over UDP, eliminating the use of the deprecated DTLS 1.0 and mitigating the vulnerability. Please note that while disabling UDP support could potentially impact performance, it is a necessary action to ensure security and compliance until the server can be updated.
Reporting to MSRC: A Responsible Disclosure
As always, the team at Cyolo is committed to contributing to the wider industry ecosystem, to ensuring the security of users, and to preventing any potential misuse of this (and any other) vulnerability.
Therefore, prior to sharing this vulnerability with the public, we responsibly disclosed its existence to the Microsoft Security Response Center (MSRC). Upon reviewing our report, the MSRC team agreed with our assessment regarding the potential and set to work on a fix for addressing the issue. Microsoft released a security patch on July 11, 2023 and assigned CVE-2023-35332, effectively mitigating the risks associated with this vulnerability.
Disclosure Timelines
Timelines for this vulnerability disclosure are as follows:
Mar 22, 2023 — Vulnerability discovered and reported through the MSRC portal
Mar 22, 2023 — MSRC ticket was moved to review/repro
Apr 1, 2023 — MSRC agreed on the ticket and status changed to develop
Jul 11, 2023 — Public release of the security advisory
