Microsoft has patched a remote code execution vulnerability in it’s Remote Desktop Services (CVE-2019-0708). This vulnerability can be exploited remotely, does not require authentication and can be used to run malicious code on the victim’s computer.
“A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.“
The advisory includes fixes for Windows 7 and Windows 2008 (see here) which are included in Microsoft’s patch on Tuesday. Additional patches were released for Windows XP and 2003. A further analysis of the patch has been provided by Sophos.
The flaw is considered high risk and ‘wormable’, meaning it can be used to develop self-replicating malware.
Millions of networks have the RDP protocol exposed to the internet so that their machines can be remotely managed. Sometimes this is purposeful, but sometimes it is the result of an oversight or mistake. In both cases, such networks are vulnerable if the machines are not updated.
Due to the vast number of potential targets and the potential for spreading, we suggest that you expect the patch to be reverse engineered by hackers to make ‘worm’ malware. Thus, you should definitely patch ASAP. For more fixes, jump to what can I do?
Because of the potential impact this can have, Microsoft has released patches for systems outside their mainstream support. Since the end of life for Microsoft XP and 2003, Microsoft has released a number of patches to mitigate the most serious vulnerabilities. This is one of them… Another notable case was during the WannaCry ransomware attacks of 2017.
WannaCry was a ransomware attack that affected a huge number of organisations, perhaps most notably the NHS in England. It exploited a flaw in the SMB (Windows Share) protocol and was largely so successful due to the slow rate at which users adopt patches on their systems. You can read more about these attacks in the following articles: Protecting your business from ransomware attacks, and WannaCry Worm causing mayhem.
First off, UPDATE! If you can’t update for some reason, you can use these workarounds, or call us to enable them:
This forces a user to authenticate before RDP is exposed to the attacker. Not all affected systems support NLA.
If RDP isn’t running, the vulnerability can’t be exploited. As obvious as this seems, some organisations are unable to work without RDP, and some are running it without realising it.
Blocking port 3389 (and any other ports you’ve assigned to RDP) at the perimeter will prevent an attack from entering your network but can’t stop an attack from originating inside your network.