Microsoft has released a patch for a vulnerability in its Remote Desktop Services that could be exploited remotely, via RDP, without authentication and used to execute arbitrary code:
A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system via RDP and sends specially crafted requests. This vulnerability is pre-authentication and does not require user interaction. An attacker who successfully exploited this vulnerability could run arbitrary code on the target system. An attacker can then install & # 39; s programs; view, change or delete data; or create new accounts with full user rights.
It doesn't get much worse than that.
Solutions are included in versions of Windows 7 and Windows 2008 (see the full list for advice) as part of Microsoft's most recent Patch Tuesday. Patches are also available for versions of Windows XP and Windows 2003 (see the customer support for the full list). For all details about this month's patch on Tuesday, including some other critical solutions, read the SophosLabs analysis from May & # 39; s Patch Tuesday.
The error becomes if & # 39; wormable & # 39; which means that it has the potential to be used in malware that spreads itself over and between networks.
Millions of computer networks around the world have exposed RDP to the outside world so that they can be managed not only via their local network but also via the internet. Sometimes this external access was intentionally enabled; sometimes the exposure is an unwanted error – but in both cases a network where RDP can be reached from outside is a possible gateway for an automated attack to reach a new victim.
Given the number of targets and the potential for an explosive, exponential spread, we recommend that you treat it as a matter of when, not if, the patch is reverse engineering and an exploit has been created, so you must update it immediately. Consult the article What to do if you want to know more? section.
The fact that Microsoft has taken the exceptional step of issuing patches for Windows XP and Windows 2003 is instructive.
Given the potential impact on customers and their companies, we have made the decision to make security updates available for platforms that are no longer in regular support … We recommend that customers who use one of these operating systems to update as quickly as possible download and install.
In the five years after the expiration date for Windows XP and 2003, Microsoft has issued countless patches for critical problems in his family's operating systems, which it has not returned to its old products. It is only broken four times that support embargo, including this one, especially during the 2017 WannaCry outbreak.
WannaCry was a ransomware worm that spread around the world in one day by exploiting an error in version 1 of Microsoft's SMB software. The worm had no problems infecting hundreds of thousands of Windows systems despite the age of the software and a patch released the previous month.
As if to demonstrate our continuing collective failure to learn the lesson about patching importance, WannaCry was followed just over a month later by NotPetya, another global ransomware outbreak that used the same exploit.
Whatever you do, patch.
If for some reason you cannot patch immediately, Microsoft offers the following restrictive and temporary solutions:
- Enable authentication via network level (NLA). This forces a user to authenticate before RDP is exposed to the attacker. Not all affected systems support NLA.
- Switch off RDP. If RDP is not active, the vulnerability cannot be exploited. As obvious as this may seem, some organizations cannot work without RDP, and some run it without realizing it.
- Block TCP port 3389. Blocking port 3389 (and all other ports that you have assigned to RDP) at the edge will prevent an attack from entering your network, but cannot stop an attack from your network.
(Watch YouTube directly if the video is not played here.)
. (TagsToTranslate) Microsoft (t) vulnerability (t) windows (t) CVE-2019-0708 (t) rdp