RDP Vulnerability in Windows Remote Access Tool

Microsoft’s Windows Remote Access Tool which allows remote assistance on a user's device if they are experiencing issues has a vulnerability that will allow a remote attacker to extract any file from the compromised user’s device without their knowledge.

Threat ID:: CC-2193
Category:
Threat Severity:: Low
Threat Vector:
Published:: 28 March 2018 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

Threat details

This tool is available on all Window’s versions since XP.

For the vulnerability to be successfully exploited the attacker must initiate help from a user. The attacker alters the “Invitation.msrcincident” file that is generated and sent when a typical user requests help from someone else. The attacker, who appears to be in need then sends this file via email to the person who has agreed to help, the target, then double-clicks this file and a connection to the attacker's device is made via a remote desktop session.

“Invitation.msrcincident” file is an XML file containing various configuration data that is not fully protected due to a lack of authentication. With this, an attacker can embed the XML External Entity (XEE) exploit in the file, which allows the attacker to extract files from the user's device and send them to a remote server.

CVE
CVE-2018-0878

Remediation steps

Type	Step
	Microsoft released a patch that was carried out in March's patch Tuesday - ensure that this patch has been implemented. Change to Microsoft's Quick Assist application as it's not vulnerable to this type of attack as it utilities invite codes instead of invite files, unlike the Remote Access Tool.

CVE Vulnerabilities

Status

CVE-2018-0878

Last edited: 17 February 2020 12:53 pm