Researcher Says 5 Million Machines Exposing RDP Service Online

With exploit code for the MS12-020 RDP vulnerability available in various places, the question now becomes, if a worm or large-scale attack appears, how big is the target base? As it turns out, it’s pretty big. As in, five million machines big.

Dan Kaminsky, a network security researcher, last week decided to scan a fairly large chunk of the Internet in the wake of the release of the patch for the RDP bug and the publication of exploit code for it. He started the scan on Friday and hit 300 million IP addresses. What he found is that in that address space, there were about 415,000 machines that were communicating using some part of the RDP protocol.

“Extrapolating from this sample, we can see that there’s approximately five million RDP endpoints on the Internet today. Now, some subset of these endpoints are patched, and some (very small) subset of these endpoints aren’t actually the Microsoft Terminal Services code at all. But it’s pretty clear that, yes, RDP is actually an enormously deployed service, across most networks in the world,” Kaminsky wrote in a blog post on the work.

“There’s something larger going on, and it’s the relevance of a bug on what can be possibly called the Critical Server Attack Surface. Not all bugs are equally dangerous because not all code is equally deployed. Some flaws are simply more accessible than others, and RDP — as the primary mechanism by which Windows systems are remotely administered — is a lot more accessible than a lot of people were aware of.”

RDP is used widely in enterprise networks and small business environments for remote management of machines. In larger networks that have tight administration and regular patching programs and schedules, the bug likely will be addressed in relatively short order, whether through patching or by disabling RDP on machines if it’s unnecessary. Some percentage of those machines already have been patched, as the fix has been out now for almost a week.

But in smaller networks that may not have a full-time administrator or IT staff, the problem is somewhat more slippery. If the business owners don’t even know that RDP is enabled or what it’s for, they may also not realize the importance of patching the vulnerability.

That leaves a large potential target base for attackers, even if the majority of enterprise administrators patch their vulnerable machines. Kaminsky contrasted the RDP vulnerability to a serious remote code execution flaw in Telnet that surfaced last year and was considered a majort threat. But the number of vulnerable machines in that case was in the low tens of thousands, rather than the millions.

“RDP’s just on a different scale. I’ve got more to say about this, but for now it’s important to get these numbers out there. There’s a very good chance that your network is exposing some RDP surface. If you have any sort of crisis response policy, and you aren’t completely sure you’re safe from the RDP vulnerability, I advise you to invoke it as soon as possible,” Kaminsky said.