Microsoft Security Bulletin MS15-030 - Important

Vulnerability in Remote Desktop Protocol Could Allow Denial of Service (3039976)

Published: March 10, 2015

Version: 1.0

Executive Summary

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow denial of service if an attacker creates multiple Remote Desktop Protocol (RDP) sessions that fail to properly free objects in memory. By default, RDP is not enabled on any Windows operating system. Systems that do not have RDP enabled are not at risk.

This security update is rated Important for all supported editions of Windows 7, Windows 8, Windows Server 2012, Window 8.1, and Windows Server 2012 R2. For more information, see the Affected Software section.

The security update addresses the vulnerability by correcting how RDP manages objects in memory. For more information about the vulnerability, see the Vulnerability Information section.

For more information about this update, see Microsoft Knowledge Base Article 3039976.

Affected Software

The following software versions or editions are affected. Versions or editions that are not listed are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, see Microsoft Support Lifecycle.

Affected Software

Operating System Maximum Security Impact Aggregate Severity Rating Updates Replaced
Windows 7
Windows 7 for 32-bit Systems Service Pack 1
(3035017)[1]
Denial of Service Important None
Windows 7 for 32-bit Systems Service Pack 1
(3036493)
Denial of Service Important None
Windows 7 for x64-based Systems Service Pack 1
(3035017)[1]
Denial of Service Important None
Windows 7 for x64-based Systems Service Pack 1
(3036493)
Denial of Service Important None
Windows 8 and Windows 8.1
Windows 8 for 32-bit Systems
(3035017)
Denial of Service Important 2965788 in MS14-030
Windows 8 for x64-based Systems
(3035017)
Denial of Service Important 2965788 in MS14-030
Windows 8.1 for 32-bit Systems
(3035017)
Denial of Service Important None
Windows 8.1 for x64-based Systems
(3035017)
Denial of Service Important None
Windows Server 2012 and Windows Server 2012 R2
Windows Server 2012
(3035017)
Denial of Service Important 2965788 in MS14-030
Windows Server 2012 R2
(3035017)
Denial of Service Important None
Server Core installation option
Windows Server 2012 (Server Core installation)
(3035017)
Denial of Service Important 2965788 in MS14-030
Windows Server 2012 R2 (Server Core installation)
(3035017)
Denial of Service Important None

[1]Enterprise and Ultimate editions of Windows 7 are affected. All supported editions of Windows 7 are affected if RDP 8.0 is installed on the system. See the Update FAQ for more information.

Update FAQ

Which editions of Windows 7 are affected?
Enterprise and Ultimate editions of Windows 7 are affected. All supported editions of Windows 7 are affected if RDP 8.0 is installed on the system. For customers running RDP 8.0 on local systems who do not need the new server-side features provided in RDP 8.0, Microsoft recommends upgrading to RDP 8.1 and not applying (or removing) the 3035017 update.

Severity Ratings and Vulnerability Identifiers

The following severity ratings assume the potential maximum impact of the vulnerability. For information regarding the likelihood, within 30 days of this security bulletin's release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the March bulletin summary.

Vulnerability Severity Rating and Maximum Security Impact by Affected Software
Affected Software Remote Desktop Protocol (RDP) Denial of Service Vulnerability - CVE-2015-0079 Aggregate Severity Rating
Windows 7
Windows 7 for 32-bit Systems Service Pack 1
(3035017)
Important
Denial of Service
Important
Windows 7 for 32-bit Systems Service Pack 1
(3036493)
Important
Denial of Service
Important
Windows 7 for x64-based Systems Service Pack 1
(3035017)
Important
Denial of Service
Important
Windows 7 for 32-bit Systems Service Pack 1
(3036493)
Important
Denial of Service
Important
Windows 8 and Windows 8.1
Windows 8 for 32-bit Systems
(3035017)
Important
Denial of Service
Important
Windows 8 for x64-based Systems
(3035017)
Important
Denial of Service
Important
Windows 8.1 for 32-bit Systems
(3035017)
Important
Denial of Service
Important
Windows 8.1 for x64-based Systems
(3035017)
Important
Denial of Service
Important
Windows Server 2012 and Windows Server 2012 R2
Windows Server 2012
(3035017)
Important
Denial of Service
Important
Windows Server 2012 R2
(3035017)
Important
Denial of Service
Important
Server Core installation option
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
(3035017)
Important
Denial of Service
Important
Windows Server 2012 (Server Core installation)
(3035017)
Important
Denial of Service
Important
Windows Server 2012 R2 (Server Core installation)
(3035017)
Important
Denial of Service
Important

Vulnerability Information

Remote Desktop Protocol (RDP) Denial of Service Vulnerability - CVE-2015-0079

A denial of service vulnerability exists in Remote Desktop Protocol (RDP) when an attacker creates multiple RDP sessions that fail to properly free objects in memory. Note that the denial of service would not allow an attacker to execute code or to elevate their user rights. However, it could prevent legitimate users from logging on through remote desktop. An unauthenticated attacker could use this vulnerability to exhaust the system memory by creating multiple RDP sessions. An attacker who successfully exploited the vulnerability could cause the target system to stop responding. The update addresses the vulnerability by correcting how RDP manages objects in memory.

Microsoft received information about this vulnerability through coordinated vulnerability disclosure. When this security bulletin was issued, Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers.

Mitigating Factors

Microsoft has not identified any mitigating factors for this vulnerability.

Workarounds

The following workarounds may be helpful in your situation:

Disable RDP

  • To disable RDP using Group Policy
  • Open Group Policy
  • In Computer Configuration, Administrative Templates, Windows Components, Terminal Services, double-click the Allows users to connect remotely using Terminal Services setting.
  • Do one of the following:

    • To enable Remote Desktop, click Enabled.
    • To disable Remote Desktop, click Disabled.

      If you disable Remote Desktop while users are connected to the target computers, the computers maintain their current connections, but will not accept any new incoming connections.

    Important When you enable Remote Desktop on a computer, you enable the capability for other users and groups to log on remotely to the computer. However, you must also decide which users and groups should be able to log on remotely, and then manually add them to the Remote Desktop Users group. For more information, see Enabling users to connect remotely to the server and Add users to the Remote Desktop Users group.

    You should thoroughly test any changes you make to Group Policy settings before applying them to users or computers. For more information about testing policy settings, see Resultant Set of Policy.

    Note:

    • To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure.
    • Use the above procedure to configure the local Group Policy object. To change a policy for a domain or an organizational unit, you must log on to the primary domain controller as an administrator. Then, you must start Group Policy by using the Active Directory Users and Computers snap-in.
    • If the Allows users to connect remotely using Terminal Services Group Policy setting is set to Not Configured, the Enable Remote Desktop on this computer setting (on the Remote tab of the System Properties dialog box) on the target computers takes precedence. Otherwise, the Allows users to connect remotely using Terminal Services Group Policy setting takes precedence.
    • Be aware of the security implications of remote logons. Users who log on remotely can perform tasks as though they were sitting at the console. For this reason, you should ensure that the server is behind a firewall. For more information, see VPN servers and firewall configuration and Security information for IPSec.
    • You should require all users who make remote connections to use a strong password. For more information, see Strong passwords.
    • Remote Desktop is disabled by default in Windows Server 2003 operating systems.
  • To disable RDP using System Properties
  • Open System in Control Panel.
  • On the Remote tab, select or clear the Enable Remote Desktop on this computer check box, and then click OK.

    Important When you enable Remote Desktop on a computer, you enable the capability for other users and groups to log on remotely to the computer. However, you must also decide which users and groups should be able to log on remotely, and then manually add them to the Remote Desktop Users group. For more information, see Enabling users to connect remotely to the server and Add users to the Remote Desktop Users group.

    Note:

    • You must be logged on as a member of the Administrators group to enable or disable Remote Desktop.
    • To open a Control Panel item, click Start, click Control Panel, and then double-click the appropriate icon.
    • Any configuration set with Group Policy overrides the configuration set by using System properties, as described in this procedure.
    • Be aware of the security implications of remote logons. Users who log on remotely can perform tasks as though they were sitting at the console. For this reason, you should ensure that the server is behind a firewall. For more information, see VPN servers and firewall configuration and Security information for IPSec.
    • You should require all users who make remote connections to use a strong password. For more information, see Strong passwords.
    • Remote Desktop is disabled by default in Windows Server 2003 operating systems.

FAQ

Is remote desktop enabled by default?
No, RDP for administration is not enabled by default. However, customers who have not enabled RDP will still be offered this update in order to help ensure the protection of their systems. For more information regarding this configuration setting, see the TechNet article, How to enable and to configure Remote Desktop for Administration in Windows Server 2003. Note that this article also applies to later releases of Microsoft Windows.

Security Update Deployment

For Security Update Deployment information, see the Microsoft Knowledge Base article referenced here in the Executive Summary.

Acknowledgments

Microsoft recognizes the efforts of those in the security community who help us protect customers through coordinated vulnerability disclosure. See Acknowledgments for more information.

Disclaimer

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions

  • V1.0 (March 10, 2015): Bulletin published.

Page generated 2015-03-08 9:11Z-07:00.