CVE-2020-0655 Overview
A remote code execution vulnerability exists in Microsoft Remote Desktop Services (formerly known as Terminal Services) that can be exploited when an authenticated attacker abuses the clipboard redirection feature. This vulnerability allows attackers who have already authenticated to an RDP session to execute arbitrary code on the target system by manipulating clipboard data during redirection operations.
Critical Impact
Authenticated attackers can achieve remote code execution by exploiting clipboard redirection in Remote Desktop Services, potentially gaining complete control over affected Windows systems.
Affected Products
- Microsoft Windows 10 (multiple versions including 1607, 1709, 1803, 1809, 1903, 1909)
- Microsoft Windows 7 SP1
- Microsoft Windows 8.1
- Microsoft Windows RT 8.1
- Microsoft Windows Server 2008 (SP2 and R2 SP1)
- Microsoft Windows Server 2012 (including R2)
- Microsoft Windows Server 2016 (including versions 1803, 1903, 1909)
- Microsoft Windows Server 2019
Discovery Timeline
- 2020-02-11 - CVE-2020-0655 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2020-0655
Vulnerability Analysis
This vulnerability resides in the Remote Desktop Services component of Windows, specifically within the clipboard redirection functionality. When users establish an RDP connection with clipboard sharing enabled, the client and server exchange clipboard data through a dedicated virtual channel. The flaw occurs in how the Remote Desktop Services component processes incoming clipboard data from authenticated users.
An authenticated attacker can craft malicious clipboard content that, when processed by the vulnerable RDP server, leads to memory corruption or improper handling of data structures. This exploitation requires user interaction, as the victim must trigger a clipboard operation (such as a paste action) for the malicious payload to be processed.
The vulnerability is particularly concerning in enterprise environments where Remote Desktop Services are heavily utilized for remote administration and virtual desktop infrastructure (VDI) deployments.
Root Cause
The root cause of this vulnerability stems from improper input validation and handling of clipboard data within the Remote Desktop Protocol's clipboard redirection mechanism. When clipboard data is transferred between the RDP client and server, the receiving component fails to properly validate the format and content of the clipboard payload before processing it. This lack of proper bounds checking and input sanitization allows specially crafted clipboard data to trigger arbitrary code execution.
Attack Vector
The attack requires the following conditions to be met:
- The attacker must have valid credentials to authenticate to the target Remote Desktop Services
- Clipboard redirection must be enabled on the RDP session (this is enabled by default in most configurations)
- User interaction is required to trigger the vulnerability through a clipboard operation
Once authenticated, the attacker can place malicious content into the clipboard and wait for a legitimate user or process on the server to perform a paste operation, or manipulate clipboard synchronization to inject malicious data. The network-based attack vector combined with the need for low privileges and user interaction creates a scenario where post-authentication lateral movement becomes possible.
The exploitation flow involves establishing an RDP session, placing specially crafted data in the shared clipboard buffer, and triggering processing of that malicious clipboard content on the target system to achieve code execution in the context of the user or service processing the clipboard data.
Detection Methods for CVE-2020-0655
Indicators of Compromise
- Unusual clipboard-related activity in RDP sessions, including large or malformed clipboard data transfers
- Unexpected process spawning from RDP-related services such as rdpclip.exe or svchost.exe hosting Remote Desktop Services
- Memory corruption crashes or service restarts in Remote Desktop Services components
- Anomalous outbound network connections originating from RDP session host processes
Detection Strategies
- Monitor Windows Event Logs for Remote Desktop Services errors and crashes, particularly Event IDs related to TermService and rdpclip.exe
- Implement endpoint detection and response (EDR) solutions to monitor for suspicious child processes spawned by RDP-related services
- Deploy network monitoring to detect anomalous RDP session behavior including unusual data volumes in virtual channel communications
- Use SentinelOne's behavioral AI to detect post-exploitation activities following RDP-based attacks
Monitoring Recommendations
- Enable detailed auditing for Remote Desktop Services logon events and session activities
- Monitor for unexpected terminations or restarts of the rdpclip.exe process
- Implement alerting for privilege escalation attempts following RDP session establishment
- Review RDP Group Policy settings to ensure clipboard redirection is disabled where not required
How to Mitigate CVE-2020-0655
Immediate Actions Required
- Apply the Microsoft security update for CVE-2020-0655 immediately to all affected Windows systems
- Disable clipboard redirection via Group Policy if the feature is not required for business operations
- Implement network segmentation to limit RDP access to authorized personnel and systems only
- Enable Network Level Authentication (NLA) to provide an additional layer of authentication before full RDP session establishment
Patch Information
Microsoft released security updates addressing this vulnerability as part of the February 2020 Patch Tuesday release cycle. Organizations should apply the appropriate update for their Windows version as detailed in the Microsoft Security Advisory CVE-2020-0655. Ensure that all Windows systems running Remote Desktop Services are patched, including both server and client installations.
Workarounds
- Disable clipboard redirection through Group Policy by navigating to Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection and enabling "Do not allow Clipboard redirection"
- Use Remote Desktop Gateway to add an additional security layer and control access to RDP resources
- Implement just-in-time (JIT) access for RDP connections to reduce the attack surface
- Consider using Windows Defender Credential Guard on supported systems to protect credentials used in RDP sessions
# Group Policy configuration to disable clipboard redirection
# Navigate to: gpedit.msc
# Computer Configuration > Administrative Templates > Windows Components >
# Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection
# Enable: "Do not allow Clipboard redirection"
# Alternatively, set via registry:
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fDisableClip /t REG_DWORD /d 1 /f
# Verify the setting is applied:
reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fDisableClip
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
