Critical “wormable” vulnerability in RDP

Written by Cyberon at 15. mai 2019
Severity: Critical
Dispersion:
Operating System: Windows XP, 7, 2008 and 2008 R2
Category: Vulnerabilities
Sources: Cisco Talos, Microsoft

From Alert

On May 14, 2019, Microsoft released patches for a critical vulnerability (CVE-2019-0708). This vulnerability utilizes a specially-crafted packet to execute arbitrary code on the victim system and does not require successful authentication. It requires only that the system be vulnerable and reachable via RDP from the attack platform.

Inbound RDP at the edge of your network should be restricted as much as possible, preferably to only allow specific authorized sources.

Description

The vulnerability allows an attacker to execute malicious code remotely on a vulnerable system. This can be done by sending specially crafted malicious packets to a targeted system’s remote desktop service by an attacker via the remote desktop protocol.
The exploit needs no user interaction which means it is “wormable”, this simply means a malware exploits a system using this vulnerability can propagate from one vulnerable system to another in a similar way as the WannaCry malware spread across the globe in 2017.

 

Systems Affected 

Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for Itanium-Based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)

 

Recommended actions

 

Patch

  • Install the updates for this vulnerability: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708
  • For older versions of windows: https://support.microsoft.com/en-ca/help/4500705/customer-guidance-for-cve-2019-0708
  • Disable the RDP service if you’re not using it.
  • Inbound RDP at the edge of your network should be restricted as much as possible, preferably to only allow specific authorized sources.
  • Malware’s trying to exploit this vulnerability will try to exploit systems using default RDP port (TCP port 3389) block it at the firewall.

 

More information and reference:

• https://krebsonsecurity.com/2019/05/microsoft-patches-wormable-flaw-in-windows-xp-7-and-windows-2003/#more-47682
• https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708
• https://cyberonsecurity.com/2019/04/23/ransomware-attacks-via-rdp-on-the-rise/

nb_NONorwegian
en_USEnglish nb_NONorwegian