Microsoft has fixed a critical vulnerability in some versions of Windows that can be exploited to create a powerful worm. The vulnerability, tracked as CVE-2019-0708, is located in Remote Desktop Services. Because the risk and vulnerability are “that” high, Microsoft even released patches for Windows XP and Windows Server 2003, even it these platforms are out of support for year (even if still used).

This post includes excerpts from a CSO Online article “Microsoft urges Windows customers to patch wormable RDP flaw”. Read the full article here.

What makes the vulnerability so dangerous is that it can be exploited remotely with no authentication or user interaction by simply sending a maliciously crafted RDP request to a vulnerable system. A successful attack can result in malicious code being executed on the system with full user rights, giving attackers the ability to install programs, modify or delete user data and even to create new accounts.

„In other words, the vulnerability is ‘wormable’, meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017,“ Simon Pope, director of Incident Response at the Microsoft Security Response Center, said in a blog post.

„While we have observed no exploitation of this vulnerability, it is highly likely that malicious actors will write an exploit for this vulnerability and incorporate it into their malware.“

RDP has been a popular infection vector for malware threats in the past, particularly for ransomware, crypto miners and point-of-sale memory scrapers. Attackers typically steal or brute-force RDP credentials in order to gain access to systems. Unfortunately, too many RDP environments are left without the proper security perimeter as Awingu research showed in 2018 (e.g. Belgium, Italy, Sweden).

Impacting legacy platforms

The vulnerability affects Remote Desktop Services in Windows 7, Windows Server 2008 R2 and Windows Server 2008, as well as in legacy Windows versions that have reached end of life. In addition to supported Windows versions, Microsoft decided to release security updates for Windows XP, Windows XP Embedded and Windows Server 2003, probably because these Windows versions are still widely used in legacy environments and on specialized equipment like ATMs, medical devices, self-service kiosks, point-of-sale terminals and more.

Solving the vulnerability with Awingu & best practices

With Awingu, users don’t get direct access to the RDP infrastructure. Everything runs through a secure connection in the browser. As such, a lot of the RDP vulnerabilities are not that relevant of a risk. However, it is best to practice to update your systems with the relevant patch as soon as possible. Microsoft furthermore advises the following:

  • Disable Remote Desktop Services if they are not required. If you no longer need these services on your system, consider disabling them as a security best practice. Disabling unused and unneeded services helps reduce your exposure to security vulnerabilities.
  • Enable Network Level Authentication (NLA) on systems running supported editions of Windows 7, Windows Server 2008, and Windows Server 2008 R2
  • Block TCP port 3389 at the enterprise perimeter firewall to prevent attacks that originate from the internet. (in case of Awingu, 3389 is not required. Internet access runs via port 443 (https))