Patch IMMEDIATELY! - Microsoft Remote Desktop Services Remote Code Execution Vulnerability (CVE-2019-0708)

May 14, 2019

Summary

*** Vulnerable RDP servers should be patched IMMEDIATELY even where there is a potential business impact (unscheduled maintenance). Notify security@berkeley.edu if you anticipate any delays in patching. ***

A remote code execution vulnerability exists in Microsoft Remote Desktop Services – formerly known as Terminal Services.

An unauthenticated attacker can exploit this vulnerability by connecting to the target system using the Remote Desktop Protocol (RDP) and sending specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. 

RDP on Microsoft Server 2008/2008 R2 and Windows 7 are affected. Microsoft has also issued patches for End-of-Life operating systems Windows Server 2003 and Windows XP. [1] [2] [3]

Impact

An attacker who successfully exploits this vulnerability can execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.[1]

Microsoft has advised that this vulnerability is “wormable”, meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017. [4]

Vulnerable

  • Microsoft Windows Server 2008 R2 for x64-based Systems SP1
  • Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1
  • Microsoft Windows Server 2008 for x64-based Systems SP2
  • Microsoft Windows Server 2008 for Itanium-based Systems SP2
  • Microsoft Windows Server 2008 for 32-bit Systems SP2
  • Microsoft Windows 7 for x64-based Systems SP1
  • Microsoft Windows 7 for 32-bit Systems SP1
  • Microsoft Windows Server 2003 SP2 x86
  • Microsoft Windows Server 2003 x64 Edition SP2
  • Microsoft Windows XP SP3 x86
  • Microsoft Windows XP Professional x64 Edition SP2
  • Microsoft Windows XP Embedded SP3 x86

Recommendations

  • Patch vulnerable systems IMMEDIATELY.

  • Patching priority should first focus on Internet-facing RDP servers, then Campus network-facing RDP servers, and finally any other RDP servers that are internal or restricted to trusted IP addresses. All vulnerable RDP servers should be patched without delay.

  • Notify security@berkeley.edu if you anticipate any delays in patching.

  • There are no known workarounds for this vulnerability. RDP servers with Network Level Authentication (NLA) enabled can mitigate wormable malware, but are still vulnerable if valid credentials are used.

References