Security Risk: iOS Remote Desktop Client accepting invalid RD Gateway Certificates

%3CLINGO-SUB%20id%3D%22lingo-sub-3093083%22%20slang%3D%22en-US%22%3ESecurity%20Risk%3A%20iOS%20Remote%20Desktop%20Client%20accepting%20invalid%20RD%20Gateway%20Certificates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3093083%22%20slang%3D%22en-US%22%3E%3CP%3EAfter%20accidentally%20importing%20a%20wrong%20certificate%20(CN%20mismatch)%20for%20our%20RD%20Gateway%20jump%20host%2C%26nbsp%3B%20some%20mobile%20users%20were%20starting%20to%20complain%20immediately%20because%20they%20were%20getting%20certificate%20warnings.%3CBR%20%2F%3E%3CBR%20%2F%3EAfter%20the%20first%20report%2C%20I%20verified%20using%20my%20fully%20updated%20iPhone%20with%20the%20latest%20Microsoft%20Remote%20Desktop%20Client%20(10.3.6)%20but%20did%20%3CU%3Enot%3C%2FU%3E%26nbsp%3Bget%20any%20certificate%20warnings%20with%20a%20pre-configured%20connection%20using%20that%20RD%20Gateway.%20However%2C%20when%20using%20the%20Workspace%20Feed%20(aka%20RD%20WebAccess)%2C%20there%20was%20a%20certificate%20warning%20when%20refreshing%20the%20feed.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20then%20cross%20checked%20with%20the%20Android%20RDP%20Client%20and%20it%20showed%20the%20RD%20Gateway%20Certificate%20warning%20as%20expected.%3CBR%20%2F%3E%3CBR%20%2F%3EWell%2C%20I%20was%20a%20bit%20baffled%20and%20did%20some%20experiments%3A%20It%20seems%20the%20iOS%20RDP%20Client%20accepts%20any%20certificate%20without%20checking%2C%20self-signed%2C%20wrong%20CN%2C%20...%26nbsp%3B%20everything%20seems%20to%20be%20happily%20accepted%20!%3CBR%20%2F%3EI%20even%20tested%20with%20an%20old%20Pad%20using%20the%20abandoned%20Version%208%20iOS%20client%20and%20it%20had%20the%20same%20issue.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20know%20that%20Apple%20users%20love%20it%20if%20something%20just%20works%2C%20but%20in%20this%20case%20this%20would%20go%20way%20to%20far%20%3B)%3C%2Fimg%3E%3CBR%20%2F%3E%3CBR%20%2F%3EAnd%20no%20-%20the%20client%20did%20not%20connect%20directly%20to%20the%20target%20RDP%20server%20-%20as%20in%20skipping%20the%20gateway.%20That%20connection%20would%20not%20be%20possible%20without%20gateway%20and%20the%20connection%20also%20was%20confirmed%20in%20RD%20Gateway%20Monitor.%3CBR%20%2F%3E%3CBR%20%2F%3EIs%20it%20possible%20that%20Microsoft%20has%20this%20%22feature%22%20in%20the%20iOS%20RDP%20Client%2C%20like%20forever%2C%20and%20I'm%20the%20first%20to%20notice%3F%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-3093083%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EiOS%20client%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ERemote%20Desktop%20Client%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ERemote%20Desktop%20Gateway%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Occasional Contributor

After accidentally importing a wrong certificate (CN mismatch) for our RD Gateway jump host,  some mobile users were starting to complain immediately because they were getting certificate warnings.

After the first report, I verified using my fully updated iPhone with the latest Microsoft Remote Desktop Client (10.3.6) but did not get any certificate warnings with a pre-configured connection using that RD Gateway. However, when using the Workspace Feed (aka RD WebAccess), there was a certificate warning when refreshing the feed.

I then cross checked with the Android RDP Client and it showed the RD Gateway Certificate warning as expected.

Well, I was a bit baffled and did some experiments: It seems the iOS RDP Client accepts any certificate without checking, self-signed, wrong CN, ...  everything seems to be happily accepted !
I even tested with an old Pad using the abandoned Version 8 iOS client and it had the same issue.

I know that Apple users love it if something just works, but in this case this would go way to far ;)

And no - the client did not connect directly to the target RDP server - as in skipping the gateway. That connection would not be possible without gateway and the connection also was confirmed in RD Gateway Monitor.

Is it possible that Microsoft has this "feature" in the iOS RDP Client, like forever, and I'm the first to notice? 

0 Replies