Endpoint Protection

 View Only

  • 1.  Attack: Microsoft RDP CVE-2012-0002 3

    Posted Jul 15, 2014 01:21 PM

    Good Morning - A whole bunch of our users received  this message:

    [SID 25610] Attack: Microsoft RDP CVE-2012-0002 3 detected.

    I have read your info page on the error but can you explain what it means in layman's terms?

    Does it mean everyone got successfully attacked?  or did they try and it got blocked?  most users who received the message have up tp date virus defs.

     

    thanks

    <v:shapetype coordsize="21600,21600" filled="f" id="_x0000_t75" o:preferrelative="t" o:spt="75" path="m@4@5l@4@11@9@11@9@5xe" stroked="f"> <v:stroke joinstyle="miter"> <v:formulas> <v:f eqn="if lineDrawn pixelLineWidth 0"> <v:f eqn="sum @0 1 0"> <v:f eqn="sum 0 0 @1"> <v:f eqn="prod @2 1 2"> <v:f eqn="prod @3 21600 pixelWidth"> <v:f eqn="prod @3 21600 pixelHeight"> <v:f eqn="sum @0 0 1"> <v:f eqn="prod @6 1 2"> <v:f eqn="prod @7 21600 pixelWidth"> <v:f eqn="sum @8 21600 0"> <v:f eqn="prod @7 21600 pixelHeight"> <v:f eqn="sum @10 21600 0"> </v:f></v:f></v:f></v:f></v:f></v:f></v:f></v:f></v:f></v:f></v:f></v:f></v:formulas> <v:path gradientshapeok="t" o:connecttype="rect" o:extrusionok="f"> </v:path></v:stroke></v:shapetype><v:shape alt="" id="Picture_x0020_1" o:spid="_x0000_i1025" style="width: 351.75pt; height: 131.25pt;" type="#_x0000_t75"> <v:imagedata o:href="cid:image005.png@01CFA00D.DAED2F70" src="file:///C:\Users\slaswell\AppData\Local\Temp\msohtmlclip1\01\clip_image001.png"> </v:imagedata></v:shape>



  • 2.  RE: Attack: Microsoft RDP CVE-2012-0002 3



  • 3.  RE: Attack: Microsoft RDP CVE-2012-0002 3

    Posted Jul 15, 2014 02:03 PM

    This the IPS component and the attack was blocked. The IPS is separate from AV so AV wouldn't have detected this. Verify the remote IP to ensure it's not one of your internal clients. Otherwise, you should be OK.



  • 4.  RE: Attack: Microsoft RDP CVE-2012-0002 3

    Broadcom Employee
    Posted Jul 15, 2014 03:33 PM

    Hi,

    Thank you for posting in Symantec community.

    Microsoft Remote Desktop Protocol is prone to a remote code-execution vulnerability. Successful exploits will allow the attacker to execute arbitrary code in the context of the affected process. This may facilitate a complete system compromise. Failed attacks may cause denial-of-service conditions.

    Response: 

    No further action is required but you may wish to perform some of the following actions as a precautionary measure.
    • Run the Symantec Power Eraser. (business users)
    • Update your product definitions and perform a full system scan.
    • Identify suspicious files.
    • Submit suspicious files to Symantec for analysis.

    Reference: 

    http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=25610