CVE-2023-29348 - Windows Remote Desktop Gateway (RD Gateway) Information Disclosure Vulnerability Explained

On June 13, 2023, Microsoft released security updates for a moderate yet critical vulnerability tracked as CVE-2023-29348, which affects the Windows Remote Desktop Gateway (RD Gateway) service. This information disclosure bug could allow attackers to leak sensitive data from targeted systems. In this article, we’ll walk you through what this vulnerability is, how it works, how to check if you’re vulnerable, and where to find patches and more details. We’ll also give practical guidance and a code snippet showing the basics of this bug.

What is Windows RD Gateway?

Windows Remote Desktop Gateway (RD Gateway) is a Windows Server role that lets authorized users connect to internal computers over the internet using the Remote Desktop Protocol (RDP). Instead of exposing RDP directly, which is risky, RD Gateway acts as a secure bridge.

What is CVE-2023-29348 All About?

- Official Description: “Windows Remote Desktop Gateway (RD Gateway) Information Disclosure Vulnerability.”
- CVE ID: CVE-2023-29348
- Severity: Medium/Important (CVSS Score: 5.3 — moderate)

Patch Released: June 13, 2023, via Microsoft’s Patch Tuesday

In plain language: If an attacker can connect to your RD Gateway over the network, they might be able to pull information they aren’t supposed to see, just by sending specially crafted RDP requests.

How Does the Exploit Work?

The vulnerability is in how RD Gateway handles RDP connection data. Basically, the system sometimes discloses memory areas it shouldn’t, especially under error conditions.

A remote attacker who’s unauthenticated can send malformed RDP requests to your server. The server, in error responses, might accidentally send memory contents back — this can include:

Fragments of previous session memory

This is not remote code execution or privilege escalation, but it can help an attacker gather enough info for further attacks, phishing, or social engineering.

Example Code Snippet to Illustrate the Problem

To show how this works, here’s a simple Python script using the socket library to send a malformed RDP request to an RD Gateway server.

> DISCLAIMER: This is for educational purposes only. Don’t attack systems you don’t have explicit permission to test.

import socket

HOST = 'rdgateway.example.com'  # Change to your server's address
PORT = 3389                    # Default RDP port

# Example of a bogus RDP negotiation packet (not a fully valid RDP handshake!)
bogus_rdp_packet = b'\x03\x00\x00\x13\xe\xd\x00\x00\x124\x00\x02...'

with socket.create_connection((HOST, PORT)) as sock:
    sock.sendall(bogus_rdp_packet)
    data = sock.recv(4096)

    print("Received:", data)
    # In a real attack, the attacker examines 'data' for any info leak

A real exploit would craft a more elaborate sequence to trigger the info leak. The key is that RD Gateway may respond with error messages containing extra memory data if not fully patched.

In Server Manager, view installed roles and features

- Check KB article KB5027223 for specific updates per server version

Network Scanners:

- Use Nmap or similar tools to check for exposed RDP ports (should not be publicly accessible if possible)

Microsoft Security Page:

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-29348

Microsoft Update Guidance:

https://msrc.microsoft.com/update-guide/en-US

Patch Details and Deployment:

https://support.microsoft.com/en-us/topic/june-13-2023-kb5027223-os-build-20348-1668-cf9dce54-e567-4f8a-803e-b6e5ac268a2

NIST NVD:

https://nvd.nist.gov/vuln/detail/CVE-2023-29348

Remediation Steps

- Patch Immediately: Install the relevant June 2023 security updates from Windows Update or your patch management system.
- Restrict Network Access: Only allow RD Gateway connections from trusted IP ranges (via firewall).

Conclusion

While CVE-2023-29348 isn’t a remote code execution bug, information disclosure vulnerabilities like this often serve as critical “stepping stones” for attackers. A patched and well-configured RD Gateway is much harder to use in a targeted attack, so don’t delay — patch today and keep your systems safe.

About This Article

We crafted this post for clarity and real-world practicality, summarizing complex security information into actionable steps. Please refer to the linked Microsoft advisories for the most up-to-date details.


Do you have questions about CVE-2023-29348, or want more tips on defending your Windows servers? Ask us in the comments!

Timeline

Published on: 10/10/2023 18:15:11 UTC
Last modified on: 10/13/2023 17:08:11 UTC