Ok. I'm glad you have a survey of every business out there.
> Is exploit code out there?
You use any non-Win10 RDP client and enter the username with the blank password.
> Also further evidence that remote technologies like ssh, rdp, etc should always be wrapped in something else like VPN or at least strictly firewalled off to known good IPs
RDP seems like a shitty remote access protocol wrt security, but VPN products are certainly worse than OpenSSH.
How long large enterprise takes to move to a new windows has been studied and published. The typical update is close to 4-5 years. Hell, many shops only recently moved from XP to 7. Hell, Win7 is almost seven years old!
>You use any non-Win10 RDP client and enter the username with the blank password.
What username? What code generates the correct name? That's what I was referring to. Say there is a win10 pro machine with rdp enabled for the account 'jmpendergrast' with no password and listening to 3389 with no firewall blocking it. Wonderful, how many passess until you guess that? Where is the automation code?
Note, by default windows will not let you use a password-less account for RDP:
So that's another hurdle someone has to get through.
Also, when RDP is enabled, it default to the newer versions which don't have this bug. You need to specify legacy access as well. Another hurdle.
So let me summarize what needs to happen for this attack to work: Win10 needs RDP enabled with legacy access explicitly allowing non-NLA connections. Then Win10 needs a firewal rule for 3389 from its router or put on the internet without a NAT/Firewall. Then Win10 needs someone to make an account with a password (passwords are mandatory for rdp). Then someone needs to change the registry to allow blank passwords for a RDP user. Then that user needs to remove the password from that account. Then that user needs to be put in the RDP group.
And if a home user does this, he or she isn't using a local account they're probably using a MSN account.
This is very much an edge case here.
>RDP seems like a shitty remote access protocol wrt security, but VPN products are certainly worse than OpenSSH.
Everything sucks but FOSS right? How non-biased of you. I won't mention heartbleed and shellshock then.
> Everything sucks but FOSS right? How non-biased of you. I won't mention heartbleed and shellshock then.
Nope, but OpenSSH (not PAM) is leaps and bounds above everything else.
Almost all of your beloved VPN software was probably susceptible to heartbleed.
But mostly I've looked at software from "security" companies, and overall it's a steaming pile of shit.
It's probably not going to get popped by non-state actors. I'd say the same things about ssh & rdp in general, but rdp has had a non-trivial amount of bugs in it.
Corporate VPNs aren't OpenSSL, they're usually IPSec implementations and not susceptible to heartbleed.
>It's probably not going to get popped by non-state actors.
Not too long ago people were making this argument but including both OpenSSL and OpenSSH. Now its just OpenSSH. Funny how that works. The reality is that layered security is a best practice and just expecting something to be perfect forever because of past performance is a very questionable premise.
Ok. I'm glad you have a survey of every business out there.
> Is exploit code out there?
You use any non-Win10 RDP client and enter the username with the blank password.
> Also further evidence that remote technologies like ssh, rdp, etc should always be wrapped in something else like VPN or at least strictly firewalled off to known good IPs
RDP seems like a shitty remote access protocol wrt security, but VPN products are certainly worse than OpenSSH.