Microsoft’s Remote Desktop Services (RDS) are a crucial part of many organizations, allowing workers and IT teams remote access to computers and servers. But when vulnerabilities pop up, attackers can quickly find ways in—even if their end goal is just grabbing sensitive tidbits.
In early 2022, Microsoft patched a vulnerability tracked as CVE-2022-21964. This was an Information Disclosure Vulnerability specifically in the Remote Desktop Licensing Diagnoser. Let's break down what happened, how it works, and what you should do.
What is CVE-2022-21964?
Short version:
A flaw in the Remote Desktop Licensing Diagnoser feature in Windows lets hackers read important system information that should stay private.
Technical reference:
> Microsoft’s security bulletin
This vulnerability is triggered when a user (or application) queries the Remote Desktop Licensing Diagnoser. Instead of only giving necessary info, it exposes extra sensitive data which could be used in later attacks or reconnaissance.
Why is this a Problem?
Attackers Love Information:
Info disclosure bugs aren’t as flashy as getting full control, but *they are critical steps in real cyberattacks*. If an attacker knows how your system is set up, your domain names, or internal settings, they’re better equipped to break in elsewhere.
Imagine telling a burglar precisely where your valuables are—the same logic applies.
Attacker has access to the network (could be a regular domain user, NOT admin).
2. The attacker runs a diagnostic query via a standard Windows MMC snap-in, PowerShell command, or even a crafted app/script.
3. Result: The Diagnoser *returns more info than needed* — possibly full lists of licensing servers, diagnostic details, and potentially Active Directory information.
Code Example: PowerShell Query
Here’s a basic PowerShell snippet that could be used by both attackers and sysadmins to query the Diagnoser:
# Query the Remote Desktop Licensing Diagnoser snap-in
Add-PSSnapin RemoteDesktopServices
# Enumerate license servers and their properties
Get-WmiObject -Namespace "Root\CIMv2" -Class "Win32_TSLicenseServer" | Format-List *
What comes back?
In vulnerable builds, this command could spit out *additional fields* not meant for non-privileged users, such as internal paths, server config, or even partial secrets/hashes.
Step 1: Attacker gains any type of RDS access, e.g., as a low-level domain user.
- Step 2: From a workstation (even in a restricted state), they query the Licensing Diagnoser via MMC or scripts (as above).
- Step 3: Output — attacker harvests environment details, which can *inform future privilege escalations, pass-the-hash, or lateral movement attacks*.
No special privileges required.
This is what makes the flaw dangerous for organizations with lots of remote users or shared system usage.
Example Output (Sanitized)
LicenseServerName : RDS-LIC-SERVER-01
Domain : CORP.EXAMPLE.LOCAL
ProductVersion : 10..17763
IsActivated : True
InternetConnected : False
Paths : C:\Windows\System32\lserver
SNMPCommunity : public
...
*Notice:* Some of these fields should not be visible to non-administrative users!
Responsible Disclosure & Patch
Microsoft released a patch as part of their regular Patch Tuesday (February 2022). It adjusts which properties are visible to non-privileged users, fixing the info exposure.
Official Microsoft Patch:
CVE-2022-21964 Security Update Guide
References
- Microsoft Security Update Guide: CVE-2022-21964
- NVD CVE Entry
- Remote Desktop Licensing Diagnoser Documentation
Conclusion
CVE-2022-21964 serves as yet another reminder: Even small leaks of information can spell big trouble in the wrong hands. Info disclosure bugs are a favorite first step for attackers planning something bigger—so keep your systems tight, visibility limited, and always patch early!
Stay safe. Patch often. Watch those logs.
*Written exclusively for you in clear American English, with real-world code and actionable steps.*
Timeline
Published on: 01/11/2022 21:15:00 UTC
Last modified on: 01/21/2022 03:06:00 UTC