REMOTE DESKTOP SERVICES ‘WORMABLE’ VULNERABILITY

Priority: High

Executive Summary: Microsoft have addressed a remote code execution vulnerability found in their Remote Desktop Services (formally known as Terminal Services in Windows Server 2008 and earlier) affecting older versions of Windows prior to Windows 8. The security flaw, CVE-2019-0708, allows an attacker to send maliciously crafted packets towards a device running Remote Desktop Services and achieve arbitrary code execution without authentication or user-interaction. This means that the exploit is ‘wormable’; it can easily propagate between vulnerable devices. Microsoft have stated that ‘any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017’. Due to the nature of the exploit this future scenario is thought to be incredibly likely, and vulnerable systems should be patched as soon as possible to avoid devices becoming victim to such an attack. Microsoft have released patches to unsupported systems affected because of the severity of the situation.

Systems with Network Level Authentication (NLA) enabled are partially protected against ‘wormable’ forms of this malware, as NLA requires authentication before exploitation is possible. However, if an attacker has acquired valid user credentials, they will still be able to exploit the vulnerability. This is particularly problematic due to the widespread use of common passwords.

Detect: Any affected operating systems which have not already been updated will be affected by this vulnerability.

ITC customers who are subscribed to the ITC VI service can request a scan to identify affected operating systems.

Affected Products: The following operating systems are susceptible to this vulnerability:

  • Windows 7
  • Windows Server 2008
  • Windows Server 2008 R2
  • Windows 2003
  • Windows XP

Prevent: Microsoft have released security updates for all affected products. Downloads for supported operating systems, Windows 7, Windows Server 2008 and Windows Server 2008 R2, can be found in the Microsoft Security Update Guide [2].

Security fixes for out-of-support systems, Windows 2003 and Windows XP, can be found in KB4500705 [3].

It is possible to mitigate the issue by disabling Remote Desktop Services where it is not required. It is also possible to implement workarounds by enabling NLA on affected operating systems which are in-support, and by blocking TCP port 3389 at the perimeter firewall. However, it is worth noting that an attacker who has acquired valid user credentials will be able to pass NLA and exploit the vulnerability. It is also worth recognising that similarly to how WannaCry first infected machines through malicious emails before spreading across networks, malware exploiting this vulnerability will likely be bundled into a package which first compromises a single device and then spreads laterally, so blocking Remote Desktop Protocol (RDP) access at the firewall will not prevent the spread of infection. It is therefore strongly recommended that the appropriate updates are applied, rather than implementing workarounds. Blocking inbound RDP on the firewall unless absolutely necessary is the recommended best security practice regardless of this vulnerability, but ensuring that this is the case will safeguard against any devices being exploited externally if this does become exploited in the wild.

React: The appropriate security updates should be applied to all affected systems immediately.

Sources:
[1] https://blogs.technet.microsoft.com/msrc/2019/05/14/prevent-a-worm-by-updating-remote-desktop-services-cve-2019-0708/
[2] https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708
[3] https://support.microsoft.com/en-us/help/4500705/customer-guidance-for-cve-2019-0708