CyberArk on Thursday reported that after analyzing a patch that fixed a remote desktop vulnerability (CVE-2022-21893) they wrote about in a blog post this past January, their researchers identified an attack vector that was not addressed and actually made the vulnerability exploitable.
The CyberArk researchers said attackers who successfully exploit the original vulnerability can view and modify data sent over virtual channels, such as clipboard data, transferred files, and smart card PIN numbers, and can gain access to the victim’s redirected devices such as hard drives, smart cards, and USB devices.
That it took Microsoft two patches to fully-fix the RDP issue CyberArk discovered shows how complex some of these security issues are, said Mike Parkin, senior technical engineer at Vulcan Cyber. Parkin said the vulnerability was somewhat mitigated by the need for an attacker to successfully connect to the target server before they could leverage it against other victims and there’s no indication it was discovered and used in the wild.
“The discovery and patch sequence also shows the difference between how developers think and how attackers think,” Parking said. “There’s a distinct difference in mindset between people who look at applications from a functionality perspective, from a security perspective, and from a vulnerability perspective. It can be a challenge to get all three perspectives looking at the same application.”