On Tuesday May 14th, 2019 Microsoft released a security update to address a critical vulnerability in Remote Desktop Services in Microsoft Windows (CVE-2019-0708). This vulnerability is pre-authentication, which means no user interaction or valid authentication is required. If exploited, this vulnerability has the potential of spreading across a corporate internal network and across the Internet as a computer worm.
Independent security researchers have confirmed that the vulnerability is exploitable, and have created a proof of concept exploits. At the time of writing (23-05-2019) there is no confirmed evidence that threat actors have created working exploits or are actively using them in the wild. Our expectation however is it is only a matter of time before we see the vulnerability being actively exploited.
CVE-2019-0708 affects the following Windows systems:
- Windows XP SP3 x86
- Windows XP Professional x64 Edition SP2
- Windows XP Embedded SP3 x86
- Windows Server 2003 SP2 x86
- Windows Server 2003 x64 Edition SP2
- Windows 7 for 32-bit Systems Service Pack 1
- Windows 7 for x64-based Systems Service Pack 1
- Windows Server 2008 for 32-bit Systems Service Pack 2
- Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
- Windows Server 2008 for Itanium-Based Systems Service Pack 2
- Windows Server 2008 for x64-based Systems Service Pack 2
- Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
- Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1
- Windows Server 2008 R2 for x64-based Systems Service Pack 1
- Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
For Windows systems still supported by Microsoft (Windows 7, Windows Server 2008), install the security update for CVE-2019-0708 using the Windows Update service.
For Windows systems no longer supported by Microsoft (Windows XP, Windows Server 2003), download and install the security update from https://support.microsoft.com/en-ca/help/4500705/customer-guidance-for-cve-2019-0708
If installation of the security update is not possible, mnemonic recommends taking the following short term remediation actions:
- Disable Windows Remote Desktop Services on vulnerable systems
- In your firewall, limit/whitelist the IP addresses that can connect to Windows Remote Desktop Services
mnemonic also recommends taking the following long term remediation actions:
- Upgrade vulnerable systems that are End of Support to a newer version of Windows
- Implement a secure VPN solution for using remote desktop services rather than exposing these services on directly on the Internet (or similar Network Level Authentication mechanism).
- Microsoft security bulletin: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708
- Microsoft blog post: https://blogs.technet.microsoft.com/msrc/2019/05/14/prevent-a-worm-by-updating-remote-desktop-services-cve-2019-0708/
- Microsoft customer guidance: https://support.microsoft.com/en-ca/help/4500705/customer-guidance-for-cve-2019-0708
Do you want to be updated on mnemonic’s Threat Advisories? Sign up to our email list here.