Cloudworm - Candidate MS12-020 - POC
How secure are cloud servers?
In technical circles, people are aware of the cloud variables and that cloud service providers offload the virtual machine security onto the customer as much as possible.
Technical people know this. Not all cloud customers fall into this category and not all clouds are created equally. There are more casual and also very (too busy) customers as well.
It is highly probably that many Windows cloud images may be vulnerable to a MS12-020 RDP exploit by default.
New research using the nmap nse script "rdp-ms12-020.nse" developed by @ea_foundation shows that all Rackspace Windows cloud images are vulnerable by default. And on AWS EC2 any existing, unpatched Windows AMIs or EBS images (pre 2012.03.13) that are booted with the AWS Management Console default firewall ruleset are vulnerable as well.
A Cloudworm
Although cloud service providers have taken some steps to mitigate MS12-020, it is nowhere near enough to protect customers.
This is due to the fact that both cloud service providers, AWS EC2 and Rackspace have vulnerable by default security settings.
- AWS EC2 have a global allow RDP (port 3389) as a default rule for all customers using the AWS Management Console to launch EC2 instances.
- Rackspace have an unsecured "servicenet" (unfirewalled LAN) on all their cloud servers.
This means that when an exploit is developed to exploit MS12-020, it may be deployable onto a very large number of servers in the clouds, if the cloud providers do not act more pro-actively and promptly.
The most vulnerable customers are casual cloud users that have an expectation that the cloud service providers are providing their virtual servers with a sensible set of default firewall rules. Unfortunately, in the case of MS12-020, the exact opposite is true.
Experienced users may not be off the hook either. Booting older Windows cloud images will leave the server vulnerable until the user has patched and rebooted their cloud server, unless they have a sensible RDP ruleset and have secured any "open" network interfaces.
