It became known about the critical RCE vulnerability in Remote Desktop Services RDS (on earlier OSs - Terminal Services TS) in Windows (CVE-2019-0708), which, if successfully operated, allows an unauthenticated attacker to perform remote execution of an arbitrary code on the system under attack.
According to the information provided by Microsoft, for successful operation it is only necessary to have network access to a host or server with a vulnerable version of the Windows operating system. Thus, if the system service is published on the perimeter, the vulnerability can be exploited directly from the Internet, without an additional delivery method. Recommendations on protection measures under the cut.
At the moment, the vulnerability is relevant for several dozens of organizations in Russia and more than 2 million organizations in the world, and the potential damage from the delay in prompt response and taking protective measures will be comparable to the damage caused by the vulnerability in the SMB protocol CVE-2017-0144 (EternalBlue).
To exploit this vulnerability, an attacker simply needs to send a specially crafted request to the remote desktop service of the target systems using RDP (the RDP protocol itself is is not vulnerable
It is important to note that any malware that uses this vulnerability can spread from one vulnerable computer to another in a manner similar to the WannaCry cipher that spread throughout the world in 2017.
Affected Windows versions:
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for Itanium-Based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation
Windows XP SP3 x86
Windows XP Professional x64 Edition SP2
Windows XP Embedded SP3 x86
Windows Server 2003 SP2 x86
Windows Server 2003 x64 Edition SP2
- In the case of a previously published RDP service on the outer perimeter for a vulnerable OS, close this access until the vulnerability is fixed.
- Install the necessary updates of the Windows OS, starting from the nodes on the perimeter and on for the entire infrastructure: patch for Windows 7, Windows 2008 , Windows XP, Windows 2003 .
Possible additional compensating measures:
- Enable Network Level Authentication (NLA). However, vulnerable systems will still be vulnerable to the use of remote code execution (RCE) if an attacker has valid credentials that can be used for successful authentication.
- Turning off RDP until updated and using alternative ways to access resources.