‘Wormable’

When a post starts like this:

“On May 14, Microsoft released fixes for a critical Remote Code Execution vulnerability, CVE-2019-0708, in Remote Desktop Services – formerly known as Terminal Services – that affects some older versions of Windows. In our previous blog post on this topic we warned that the vulnerability is ‘wormable’, and that future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017.” – https://blogs.technet.microsoft.com/msrc/2019/05/30/a-reminder-to-update-your-systems-to-prevent-a-worm/

“Microsoft is confident that an exploit exists for this vulnerability”

You tend to pay attention when the vendor says this. Not that it should have escaped attention on the 14th of May but the world is a complex place and despite all good intentions getting patches deployed isn’t as easy as ‘just patch’.

Since the vulnerability was patched and publicly disclosed there’s been a whole raft of exploit claims, most of which are jokes/hoaxes (or even replays of MS12-020) designed for the lulz or containing other malware etc.

In case you have missed the bulletin I’ve provided the summary statement:

CVE-2019-0708

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708

This CVE concerns a vulnerability in the RDP services (when Network Level Authentication is NOT enabled).

“A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

To exploit this vulnerability, an attacker would need to send a specially crafted request to the target systems Remote Desktop Service via RDP.

The update addresses the vulnerability by correcting how Remote Desktop Services handles connection requests.”

This vulnerability affects the following Windows versions:

  • Windows XP
  • Windows Server 2003
  • Windows 7 SP1
  • Windows Server 2008 SP2
  • Windows Server 2008 SP1

Mitigations for this vulnerability include:

  • Deploying the patch
  • Disabling RDP if it’s not required
  • Enabling Network Layer Authentication
  • Block inbound RDP (TCP 3389 by default) on the perimeter firewall

Exploitability

“nearly one million computers connected directly to the internet are still vulnerable to CVE-2019-0708”

Whilst there is no publicly available remote code execution code, it is believed that a variant of an exploit which can create a denial of service condition exists. Microsoft are of the belief that it is very possible an exploit may be released into the world in the near future.

Thanks & References

Thanks to the usual suspects for keeping twitter sphere updated:

https://twitter.com/campuscodi

https://twitter.com/GossiTheDog

https://twitter.com/2sec4u

and the many other’s I haven’t managed to mention!

https://www.zdnet.com/article/microsoft-issues-second-warning-about-patching-bluekeep-as-poc-code-goes-public/

Call Now!